atridad/lavitz
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security updates

Browse Source
This commit is contained in:
Atridad Lahiji
2025-12-19 13:49:05 -07:00
parent b1447f1ef5
commit cd9835676d
5 changed files with 49 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
modules/security.nix Normal file
View File

@@ -0,0 +1,27 @@
{ config, pkgs, ... }:
{
security.sudo.execWheelOnly = true;
nix.settings.allowed-users = [ "@wheel" ];
security.apparmor.enable = true;
security.audit.enable = true;
security.auditd.enable = true;
services.fail2ban.enable = true;
boot.kernel.sysctl = {
"kernel.dmesg_restrict" = 1;
"net.ipv4.conf.all.log_martians" = 1;
"net.ipv4.conf.default.log_martians" = 1;
"net.ipv4.icmp_echo_ignore_broadcasts" = 1;
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0;
};
}