aviallon/nixos-lib
1
0
Fork 0
mirror of https://github.com/aviallon/nixos-lib.git synced 2026-04-06 01:38:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

[Hardening] Deactivate password login for root when hardening is enabled

Browse source
This commit is contained in:
Antoine Viallon 2022-03-02 20:56:16 +01:00
parent 4915bff563
commit 3d55cc1894
Signed by: aviallon
GPG key ID: 186FC35EDEB25716
2 changed files with 4 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
hardening.nix
View file

@ -47,6 +47,8 @@ in
aviallon.hardening.expensive = mkForce cfg.hardcore; aviallon.hardening.expensive = mkForce cfg.hardcore;
services.openssh.permitRootLogin = "prohibit-password";
security.apparmor.enable = true; security.apparmor.enable = true;
services.dbus.apparmor = "enabled"; services.dbus.apparmor = "enabled";

3
services.nix
View file

@ -47,7 +47,7 @@ in {
# Enable the OpenSSH daemon. # Enable the OpenSSH daemon.
services.openssh.enable = true; services.openssh.enable = true;
# services.openssh.permitRootLogin = "prohibit-password"; # services.openssh.permitRootLogin = "prohibit-password";
services.openssh.permitRootLogin = "yes"; services.openssh.permitRootLogin = mkDefault "yes";
networking.firewall.allowedTCPPorts = [ 22 ]; networking.firewall.allowedTCPPorts = [ 22 ];
networking.firewall.allowedUDPPorts = [ 22 ]; networking.firewall.allowedUDPPorts = [ 22 ];
@ -113,6 +113,7 @@ in {
] (x: builtins.toJSON x)); ] (x: builtins.toJSON x));
# Enusre low-latency response for this time-critical service
systemd.services."hdapsd@" = { systemd.services."hdapsd@" = {
serviceConfig = { serviceConfig = {
Nice = -20; Nice = -20;