mrsnowy.dev / dotfiles
My dotfiles for my nixos machines and infra
2
fork

Configure Feed

Select the types of activity you want to include in your feed.

Caddy service hardening

MrSnowy 2e1ce9f0 45388606

+80 -12
+1 -1
hosts/server/default.nix
··· 30 30 ./containers 31 31 ./services 32 32 33 - ../sops 33 + ../../sops 34 34 args.flakes.home-manager.nixosModules.home-manager 35 35 ]; 36 36
+46 -2
hosts/server/services/caddy.nix
··· 1 1 { 2 2 config, 3 - lib, 4 - pkgs, 5 3 ... 6 4 }: 7 5 let ··· 163 161 ''; 164 162 }; 165 163 164 + systemd.services.caddy.serviceConfig = { 165 + RemoveIPC = true; 166 + ProtectSystem = "strict"; 167 + CapabilityBoundingSet = "CAP_NET_BIND_SERVICE"; 168 + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; 169 + 170 + ProtectClock = true; 171 + ProtectProc = "invisible"; 172 + ProcSubset = "pid"; 173 + ProtectKernelLogs = true; 174 + ProtectControlGroups = true; 175 + ProtectKernelModules = true; 176 + ProtectKernelTunables = true; 177 + UMask = "0077"; 178 + 179 + SystemCallArchitectures = "native"; 180 + RestrictSUIDSGID = true; 181 + LockPersonality = true; 182 + RestrictNamespaces = true; 183 + RestrictRealtime = true; 184 + 185 + RestrictAddressFamilies = [ 186 + "AF_INET" 187 + "AF_INET6" 188 + "AF_UNIX" 189 + ]; 190 + MemoryDenyWriteExecute = true; 191 + PrivateDevices = true; 192 + DevicePolicy = "closed"; 193 + DeviceAllow = [ "" ]; 194 + 195 + SystemCallFilter = [ 196 + "~@privileged" 197 + "~@resources" 198 + "~@mount" 199 + "~@reboot" 200 + "~@obsolete" 201 + "~@clock" 202 + "~@cpu-emulation" 203 + "~@debug" 204 + "~@module" 205 + "~@raw-io" 206 + "~@swap" 207 + ]; 208 + SystemCallErrorNumber = "EPERM"; 209 + }; 166 210 }
+6 -3
hosts/server/services/random.nix
··· 1 1 { 2 2 config, 3 - lib, 4 - pkgs, 5 3 ... 6 4 }: 7 5 8 6 { 9 - 10 7 services = { 11 8 openssh = { 12 9 enable = true; ··· 18 15 authorizedKeysInHomedir = false; 19 16 settings = { 20 17 PasswordAuthentication = false; 18 + AllowTcpForwarding = false; 19 + TCPKeepAlive = false; 21 20 PermitRootLogin = "no"; 21 + MaxAuthTries = 3; 22 + ClientAliveCountMax = 2; 23 + MaxSessions = 2; 24 + LogLevel = "VERBOSE"; 22 25 AllowUsers = [ 23 26 "snow" 24 27 "file-backup"
+26 -6
hosts/server/system/configuration.nix
··· 69 69 # Disable ftrace debugging 70 70 "kernel.ftrace_enabled" = false; 71 71 72 + "dev.tty.ldisc_autoload" = 0; # disallow loading ldiscs 73 + "fs.protected_fifos" = 2; # protect /tmp 74 + "fs.protected_regular" = 2; # protect /tmp 75 + "fs.suid_dumpable" = 0; # disable core dumping of privilaged prograns 76 + "kernel.sysrq" = 0; # Disallow sysrq keybinds, not needed for a server. 77 + "net.core.bpf_jit_harden" = 2; 78 + 72 79 # Disable bpf() JIT (to eliminate spray attacks) 73 80 # "net.core.bpf_jit_enable" = false; 74 81 75 82 # https://wiki.archlinux.org/title/Sysctl#Enable_TCP_Fast_Open 76 83 "net.ipv4.tcp_fastopen" = 3; 77 84 85 + # for containers :3 78 86 "kernel.unprivileged_userns_clone" = 1; 87 + 88 + # https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes 89 + "net.core.rmem_max" = 7500000; 90 + "net.core.wmem_max" = 7500000; 79 91 }; 80 92 81 93 loader = { ··· 92 104 }; 93 105 94 106 blacklistedKernelModules = [ 107 + # USB storage protocols 108 + "usb-storage" 109 + "uas" 110 + 95 111 # Obscure network protocols 96 112 "ax25" 97 113 "netrom" 98 114 "rose" 115 + "dccp" 116 + "sctp" 117 + "rds" 118 + "tipc" 99 119 100 120 # Old or rare or insufficiently audited filesystems 101 121 "adfs" ··· 162 182 }; 163 183 164 184 security = { 165 - # lockKernelModules = true; 185 + lockKernelModules = true; 166 186 protectKernelImage = true; 167 187 168 - auditd.enable = true; 188 + # auditd = { 189 + # enable = true; 190 + # }; 169 191 sudo.enable = false; 170 192 sudo-rs = { 171 193 enable = true; ··· 216 238 file-backup = { }; 217 239 }; 218 240 users = { 241 + # mutableUsers = false; 219 242 snow = { 220 243 isNormalUser = true; 221 244 description = "snow"; ··· 257 280 }; 258 281 259 282 systemd = { 283 + # Make docker only run for the "snow" user. 260 284 user.services.docker.unitConfig.ConditionUser = lib.mkForce "snow"; 261 - # tmpfiles.rules = [ 262 - # "d ${config.users.users.file-backup.home} 0755 root root -" 263 - # "d ${config.users.users.file-backup.home}/meow 0700 ${config.users.users.file-backup.name} ${config.users.users.file-backup.group} -" 264 - # ]; 265 285 }; 266 286 }
+1
hosts/server/system/network.nix
··· 2 2 { 3 3 networking = { 4 4 hostName = "snow-den"; 5 + domain = "mrsnowy.dev"; 5 6 6 7 nameservers = [ 7 8 # Mullvad