anotherhadi/nixy
1
Fork 0
mirror of https://github.com/anotherhadi/nixy.git synced 2026-05-20 05:12:34 +02:00
Code Issues Packages Projects Releases Wiki Activity

hardening

Browse Source 
Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
This commit is contained in:
Hadi
2026-04-11 11:27:39 +02:00
parent 28b7923e47
commit 2326857f65
6 changed files with 59 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server-modules/kernel-hardening.nix
+35
View File
@@ -0,0 +1,35 @@
# Kernel hardening for the server
{
boot.kernel.sysctl = {
# Restrict access to kernel logs and pointers
"kernel.dmesg_restrict" = 1;
"kernel.kptr_restrict" = 2;
# BPF hardening
"net.core.bpf_jit_harden" = 2;
"kernel.unprivileged_bpf_disabled" = 1;
# Reverse path filtering (anti-spoofing)
"net.ipv4.conf.all.rp_filter" = 1;
"net.ipv4.conf.default.rp_filter" = 1;
# SYN flood protection
"net.ipv4.tcp_syncookies" = 1;
# Disable IP source routing
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv4.conf.default.accept_source_route" = 0;
# Ignore ICMP redirects (prevent MITM)
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
# Don't send ICMP redirects
"net.ipv4.conf.all.send_redirects" = 0;
# Restrict ptrace to parent processes only
"kernel.yama.ptrace_scope" = 1;
};
}
server-modules/mk-container.nix
+8 -1
View File
@@ -7,6 +7,13 @@
# externalInterface - WAN interface for NAT, required when internet = true
# bindMounts - host paths to mount into the container (see containers.<name>.bindMounts)
# config - NixOS module for the container
let
nginxHardening = { config, ... }: lib.mkIf config.services.nginx.enable {
services.nginx.serverTokens = false;
};
in
{
mkContainer =
{
@@ -29,7 +36,7 @@
localAddress = containerIp;
inherit bindMounts;
config = { ... }: {
imports = [ nixosConfig ];
imports = [ nixosConfig nginxHardening ];
networking.nameservers = lib.mkIf internet [ "1.1.1.1" "1.0.0.1" ];
};
};
server-modules/nginx.nix
-5
View File
@@ -1,5 +0,0 @@
{
services.nginx = {
enable = true;
};
}
server-modules/ssh.nix
+9
View File
@@ -10,6 +10,15 @@ in {
PermitRootLogin = "no";
PasswordAuthentication = false;
AllowUsers = [username];
MaxAuthTries = 3;
LoginGraceTime = 20;
X11Forwarding = false;
AllowAgentForwarding = false;
AllowTcpForwarding = false;
ClientAliveInterval = 300;
ClientAliveCountMax = 2;
KexAlgorithms = ["curve25519-sha256" "curve25519-sha256@libssh.org"];
Ciphers = ["chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com"];
};
};