40 lines
1.0 KiB
Nix
40 lines
1.0 KiB
Nix
|
{ config, lib, pkgs, ... }:
|
||
|
|
||
|
{
|
||
|
imports = [ ./paranoid.nix ./users.nix ];
|
||
|
|
||
|
nix.autoOptimiseStore = true;
|
||
|
|
||
|
users.users.root.openssh.authorizedKeys.keys = [
|
||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPg9gYKVglnO2HQodSJt4z4mNrUSUiyJQ7b+J798bwD9"
|
||
|
];
|
||
|
|
||
|
services.tailscale.enable = true;
|
||
|
|
||
|
# Tell the firewall to implicitly trust packets routed over Tailscale:
|
||
|
networking.firewall.trustedInterfaces = [ "tailscale0" ];
|
||
|
|
||
|
security.auditd.enable = true;
|
||
|
security.audit.enable = true;
|
||
|
security.audit.rules = [ "-a exit,always -F arch=b64 -S execve" ];
|
||
|
|
||
|
security.sudo.execWheelOnly = true;
|
||
|
environment.defaultPackages = lib.mkForce [ ];
|
||
|
|
||
|
services.openssh = {
|
||
|
passwordAuthentication = false;
|
||
|
allowSFTP = false; # Don't set this if you need sftp
|
||
|
challengeResponseAuthentication = false;
|
||
|
extraConfig = ''
|
||
|
AllowTcpForwarding yes
|
||
|
X11Forwarding no
|
||
|
AllowAgentForwarding no
|
||
|
AllowStreamLocalForwarding no
|
||
|
AuthenticationMethods publickey
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
# PCI compliance
|
||
|
environment.systemPackages = with pkgs; [ clamav ];
|
||
|
}
|