28 lines
736 B
Nix
28 lines
736 B
Nix
{ config, pkgs, ... }:
|
|
|
|
{
|
|
security.sudo.execWheelOnly = true;
|
|
|
|
nix.settings.allowed-users = [ "@wheel" ];
|
|
|
|
security.apparmor.enable = true;
|
|
|
|
security.audit.enable = true;
|
|
security.auditd.enable = true;
|
|
|
|
services.fail2ban.enable = true;
|
|
|
|
boot.kernel.sysctl = {
|
|
"kernel.dmesg_restrict" = 1;
|
|
"net.ipv4.conf.all.log_martians" = 1;
|
|
"net.ipv4.conf.default.log_martians" = 1;
|
|
"net.ipv4.icmp_echo_ignore_broadcasts" = 1;
|
|
"net.ipv4.conf.all.accept_redirects" = 0;
|
|
"net.ipv4.conf.default.accept_redirects" = 0;
|
|
"net.ipv6.conf.all.accept_redirects" = 0;
|
|
"net.ipv6.conf.default.accept_redirects" = 0;
|
|
"net.ipv4.conf.all.send_redirects" = 0;
|
|
"net.ipv4.conf.default.send_redirects" = 0;
|
|
};
|
|
}
|