diff options
| author | Alejandro Soto <alejandro@34project.org> | 2024-08-02 17:03:25 -0600 |
|---|---|---|
| committer | Alejandro Soto <alejandro@34project.org> | 2024-08-03 11:11:27 -0600 |
| commit | 92848a9ab888518d7211327d7733f40814e7ccbf (patch) | |
| tree | 2eeeacce2462f5c8b1eee9f429bd749668a3bf4b | |
| parent | ae67454d07f2e2cfe66dbfaa19b4296499171ba8 (diff) | |
sys/[lustrated]: initial commit
Diffstat (limited to '')
| -rw-r--r-- | flake.nix | 3 | ||||
| -rw-r--r-- | sys/auth/openssh.nix | 7 | ||||
| -rw-r--r-- | sys/boot/chain.nix | 6 | ||||
| -rw-r--r-- | sys/boot/namespaced.nix | 3 | ||||
| -rw-r--r-- | sys/net/interfaces.nix | 2 | ||||
| -rw-r--r-- | sys/preset/dmz.nix | 2 | ||||
| -rw-r--r-- | sys/preset/user.nix | 2 |
7 files changed, 15 insertions, 10 deletions
@@ -33,6 +33,8 @@ pre-commit-hooks-nix.follows = ""; }; }; + + vpsadminos.url = "github:vpsfreecz/vpsadminos"; }; outputs = @@ -46,6 +48,7 @@ , nixvirt , flake-utils , lanzaboote + , vpsadminos }: let system = "x86_64-linux"; diff --git a/sys/auth/openssh.nix b/sys/auth/openssh.nix index 3bc3a78..87c6299 100644 --- a/sys/auth/openssh.nix +++ b/sys/auth/openssh.nix @@ -19,6 +19,11 @@ in }; }) [ "ecdsa" "ed25519" "rsa" ]); + shiftPortNumber = mkOption { + type = types.bool; + default = true; + }; + withDeployKeys = mkOption { type = types.bool; default = false; @@ -39,7 +44,7 @@ in services.openssh = { enable = true; openFirewall = true; - ports = [ 2234 ]; + ports = mkIf cfg.shiftPortNumber [ 2234 ]; startWhenNeeded = !config.services.fail2ban.enable; hostKeys = map diff --git a/sys/boot/chain.nix b/sys/boot/chain.nix index c726cf8..aeb3bbe 100644 --- a/sys/boot/chain.nix +++ b/sys/boot/chain.nix @@ -4,10 +4,8 @@ with lib; let in { options.local.boot = { - enable = mkEnableOption "system boot"; - loader = mkOption { - type = types.enum [ "grub" "systemd-boot" ]; + type = types.enum [ "none" "grub" "systemd-boot" ]; }; kernel = mkOption { @@ -15,7 +13,7 @@ in }; }; - config = mkIf cfg.enable { + config = mkIf (cfg.loader != "none") { boot = { kernelPackages = cfg.kernel; diff --git a/sys/boot/namespaced.nix b/sys/boot/namespaced.nix index 9927ae2..db01d55 100644 --- a/sys/boot/namespaced.nix +++ b/sys/boot/namespaced.nix @@ -12,9 +12,10 @@ in local.boot = mkMerge ([ { - enable = mkForce false; + loader = mkForce "none"; efi.enable = mkForce false; + firmware.mode = mkForce "none"; secureBoot.enable = mkForce false; impermanence.enable = mkForce false; } diff --git a/sys/net/interfaces.nix b/sys/net/interfaces.nix index 0341440..11b9621 100644 --- a/sys/net/interfaces.nix +++ b/sys/net/interfaces.nix @@ -23,6 +23,8 @@ in domain = mkDefault config.local.domains.host.main; hostName = cfg.hostname; + firewall.logRefusedConnections = false; + useDHCP = false; enableIPv6 = true; useNetworkd = true; diff --git a/sys/preset/dmz.nix b/sys/preset/dmz.nix index 19985e0..a64a5b7 100644 --- a/sys/preset/dmz.nix +++ b/sys/preset/dmz.nix @@ -15,8 +15,6 @@ in config = lib.mkIf cfg.enable { local = { boot = { - enable = mkDefault true; - kernel = mkDefault pkgs.linuxPackages_hardened; loader = mkDefault "grub"; diff --git a/sys/preset/user.nix b/sys/preset/user.nix index 5f06f15..e0b3b9e 100644 --- a/sys/preset/user.nix +++ b/sys/preset/user.nix @@ -25,8 +25,6 @@ in }; boot = { - enable = mkDefault true; - kernel = mkDefault pkgs.linuxPackages_latest; loader = mkDefault "grub"; |