diff --git a/systems/configuration.nix b/systems/configuration.nix index 0815e35..e9520da 100644 --- a/systems/configuration.nix +++ b/systems/configuration.nix @@ -53,15 +53,21 @@ } ]; + # all of these setting are recommended by lynis unless otherwise commented settings = { - ClientAliveCountMax = 10; + AllowAgentForwarding = "no"; + AllowTcpForwarding = "no"; + ChallengeResponseAuthentication = "no"; + ClientAliveCountMax = lib.mkDefault 2; Compression = "NO"; IgnoreRhosts = "yes"; + LogLevel = lib.mkDefault "VERBOSE"; MaxAuthTries = 3; - MaxSessions = 10; + MaxSessions = lib.mkDefault 2; PasswordAuthentication = false; PermitEmptyPasswords = "no"; PermitRootLogin = "no"; + TcpKeepAlive = "no"; KexAlgorithms = [ "curve25519-sha256@libssh.org" diff --git a/systems/jeeves-jr/configuration.nix b/systems/jeeves-jr/configuration.nix index 2866819..9795317 100644 --- a/systems/jeeves-jr/configuration.nix +++ b/systems/jeeves-jr/configuration.nix @@ -33,17 +33,55 @@ }; }; - environment.systemPackages = with pkgs; [ - docker-compose - ]; + environment = { + systemPackages = with pkgs; [ + docker-compose + ]; + + etc = { + # Creates /etc/lynis/custom.prf + "lynis/custom.prf" = { + text = '' + skip-test=BANN-7126 + skip-test=BANN-7130 + skip-test=DEB-0520 + skip-test=DEB-0810 + skip-test=FIRE-4513 + skip-test=HRDN-7222 + skip-test=KRNL-5820 + skip-test=LOGG-2190 + skip-test=LYNIS + skip-test=TOOL-5002 + ''; + mode = "0440"; + }; + }; + }; + + + security.auditd.enable = true; services = { nfs.server.enable = true; + endlessh-go = { + enable = true; + port = 22; + }; + openssh.ports = [ 352 ]; smartd.enable = true; + sysstat.enable = true; + + usbguard = { + enable = true; + rules = '' + allow id 1532:0241 + ''; + }; + zfs = { trim.enable = true; autoScrub.enable = true;