40 lines
1.1 KiB
Nix
40 lines
1.1 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
{
|
|
imports = [ ./paranoid.nix ./users.nix ./services ];
|
|
|
|
nix.autoOptimiseStore = true;
|
|
|
|
users.users.root.openssh.authorizedKeys.keys = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPg9gYKVglnO2HQodSJt4z4mNrUSUiyJQ7b+J798bwD9"
|
|
];
|
|
|
|
services.tailscale.enable = true;
|
|
|
|
# Tell the firewall to implicitly trust packets routed over Tailscale:
|
|
networking.firewall.trustedInterfaces = [ "tailscale0" ];
|
|
|
|
security.auditd.enable = true;
|
|
security.audit.enable = true;
|
|
security.audit.rules = [ "-a exit,always -F arch=b64 -S execve" ];
|
|
|
|
security.sudo.execWheelOnly = true;
|
|
environment.defaultPackages = lib.mkForce [ ];
|
|
|
|
services.openssh = {
|
|
passwordAuthentication = false;
|
|
allowSFTP = false; # Don't set this if you need sftp
|
|
challengeResponseAuthentication = false;
|
|
extraConfig = ''
|
|
AllowTcpForwarding yes
|
|
X11Forwarding no
|
|
AllowAgentForwarding no
|
|
AllowStreamLocalForwarding no
|
|
AuthenticationMethods publickey
|
|
'';
|
|
};
|
|
|
|
# PCI compliance
|
|
environment.systemPackages = with pkgs; [ clamav ];
|
|
}
|