diff --git a/configuration.nix b/configuration.nix index ee25c38..b28b711 100644 --- a/configuration.nix +++ b/configuration.nix @@ -45,6 +45,16 @@ rsync ]; + zramSwap = { + enable = true; + memoryPercent = 50; + }; + + services.openssh.hostKeys = [{ + path = "/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + }]; + users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE40ISu3ydCqfdpb26JYD5cIN0Fu0id/FDS+xjB5zpqu jetthomaspham@gmail.com" ]; diff --git a/flake.lock b/flake.lock index af0d258..dd5aba2 100644 --- a/flake.lock +++ b/flake.lock @@ -52,11 +52,11 @@ ] }, "locked": { - "lastModified": 1773025010, - "narHash": "sha256-khlHllTsovXgT2GZ0WxT4+RvuMjNeR5OW0UYeEHPYQo=", + "lastModified": 1773506317, + "narHash": "sha256-qWKbLUJpavIpvOdX1fhHYm0WGerytFHRoh9lVck6Bh0=", "owner": "nix-community", "repo": "disko", - "rev": "7b9f7f88ab3b339f8142dc246445abb3c370d3d3", + "rev": "878ec37d6a8f52c6c801d0e2a2ad554c75b9353c", "type": "github" }, "original": { @@ -88,11 +88,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1773282481, - "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=", + "lastModified": 1773389992, + "narHash": "sha256-wvfdLLWJ2I9oEpDd9PfMA8osfIZicoQ5MT1jIwNs9Tk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127", + "rev": "c06b4ae3d6599a672a6210b7021d699c351eebda", "type": "github" }, "original": { diff --git a/modules/hardening.nix b/modules/hardening.nix index 9233354..ca324ff 100644 --- a/modules/hardening.nix +++ b/modules/hardening.nix @@ -35,6 +35,11 @@ enable = true; maxtime = "24h"; }; + ignoreIP = [ + "100.64.0.0/10" + "127.0.0.0/8" + "::1/128" + ]; }; # ── Kernel hardening ── @@ -79,10 +84,4 @@ services.avahi.enable = false; services.printing.enable = false; - # ── Automatic security updates ── - system.autoUpgrade = { - enable = true; - allowReboot = false; - dates = "04:00"; - }; } diff --git a/secrets/b2-account-id.age b/secrets/b2-account-id.age index df8dbf5..888d950 100644 Binary files a/secrets/b2-account-id.age and b/secrets/b2-account-id.age differ diff --git a/secrets/b2-application-key.age b/secrets/b2-application-key.age index f09294e..7b70e85 100644 --- a/secrets/b2-application-key.age +++ b/secrets/b2-application-key.age @@ -1,7 +1,7 @@ age-encryption.org/v1 --> ssh-ed25519 8KhtvA RPJwPm/DkUYfQlYSCa4s6KF5bV8ajDflEj+Gljgs1TI -aP54VuO6RYP/tLPIzOHDgRIKs1AirPu3zkYuvVamTjE --> ssh-ed25519 Ziw7aw DHkTEHLtrhSuSoNuv9zS5kgeKth3NtjUj8IVBiBch1k -/P9kmTW0z3oTuBtd8wv+tfbBWP4Y1ObhPbwnLeCJO/U ---- 6OuUgwkLM+4RkVychG8IVWRb9es4WimS6KI6jxCyPn4 -'^x`WAN;zV`m7G7vc]`M#=ֵ#K \ No newline at end of file +-> ssh-ed25519 nN+I3Q pvBHHJ8gvyYbp4UC7m/ftbk0AsSqhger/w2V3VnD2B8 +5mkBZwujtIYxtI9uaSbbHvHqslW2zRqigWqA9DHNLBU +-> ssh-ed25519 Ziw7aw MormurJwU7hFYfklN0G3AYJeG05fcfNP9P1uTL6woHQ +N8C5yyyJQJdf3vH7ym5/AkLyEr2MLRjxd5EG0B5OGto +--- t6FsZYSVfoqW8F9t4uIVqWajSV+eQ2t2VEC8Z3EJyIk +ߋ+cEH !\2󺇢X DDW#R \ No newline at end of file diff --git a/secrets/discord-bot-token.age b/secrets/discord-bot-token.age index 7553626..eeb495c 100644 --- a/secrets/discord-bot-token.age +++ b/secrets/discord-bot-token.age @@ -1,8 +1,7 @@ age-encryption.org/v1 --> ssh-ed25519 8KhtvA 14QBStvnxOU5fDg/fBWu7Klun03DfblZhFV1vWn/u2w -0/rGOHyVCh7AG0HBMCw8XAKkvKmtDXk32zDZFRVI+aE --> ssh-ed25519 Ziw7aw agcXQVvCtH88gSFhJH+g4vJDHFyqfMc7haOmqCWCtBs -ULjdXfTM1/3a6fXrqsH7rLPXCLOxT0DBbGnn5Y3znfo ---- rGogYk7dpYIqYP9Vg7oRu8ZghB0nYddMCpzz4GKCx0s -3b0 -j\>Cs.@&,%4fC1Eբ~ ȏͳ2۳b_2-*C~L͜=(QP+ -6 \ No newline at end of file +-> ssh-ed25519 nN+I3Q YmpwUlCii+a5JxJ7nYNJHRH/dqgabVrvRG4HAcDv80M +3G5MM3gJ0RBZQXz3WUetiXSSGEl2y+E1ZgyJ7Xp+bzg +-> ssh-ed25519 Ziw7aw 566UvTX3i6TgwVI+R+4xZMKDk2taODC4eSazhwnXpWs +DlWnZMQuO2UQsji3NqB9hJf3a0U+3m8jrp6YOwyNVdc +--- x6e0Gj888fGWJ99j/Vr995EwdilrY+kIFCsq5CKNAkQ +)NCpcv51o\imFs( )7@2O_w [E[7ZKx,rI[ndmNc \ No newline at end of file diff --git a/secrets/grafana-admin-password.age b/secrets/grafana-admin-password.age index 85b18a7..69ce3c1 100644 Binary files a/secrets/grafana-admin-password.age and b/secrets/grafana-admin-password.age differ diff --git a/secrets/grafana-secret-key.age b/secrets/grafana-secret-key.age index 99d92bc..a5e2b5c 100644 --- a/secrets/grafana-secret-key.age +++ b/secrets/grafana-secret-key.age @@ -1,7 +1,7 @@ age-encryption.org/v1 --> ssh-ed25519 8KhtvA HwJeI2xpphSyhSacAqEdmnzbJxNEuRN2sLv+sK0XqQI -11GS6HqXTQ0gksTZlJfVDwJ3PaLy1SD5D/J7QstK/bI --> ssh-ed25519 Ziw7aw 5S4mq+b1VAaMrXZrUfYowGfU/wR6aSql3wVOsKnbJEQ -c+DAvSndUItpBbFR1ce/SfL2AthJ7fW8Sdq+vja6L+s ---- wSQ+PDx7FR4mDl9Cw4ah/CS2JujL7uP+9ZexfD8KfgI -}|dLXOR UU)ʒ'jgPpm xC BV@ґ->6ԟ&` \ No newline at end of file +-> ssh-ed25519 nN+I3Q NoHPLxNkUs3bwE/lxtFJkHamKo4UwHa7rFhkUz5uZUM +KXs0AU1/wjd7yxnNRrQk8NNFD6XBZaNZNHLsT7hOLS8 +-> ssh-ed25519 Ziw7aw exDf6HgFViw+HSsvdqHdeVty06Krk3ku6vFJJMwi93A +0S/vjoRdk+sYifgz/B3t7Nkd6JNtWsBoJzlAUP94cmw +--- UTKoNnzmxwtve3lSyyLP52iQA0LT94Fr5sRsuVNJ6Y0 +oR5xeaTQsy_Hgq3;)Hk㥏a7N'