diff --git a/configuration.nix b/configuration.nix index b28b711..ee25c38 100644 --- a/configuration.nix +++ b/configuration.nix @@ -45,16 +45,6 @@ rsync ]; - zramSwap = { - enable = true; - memoryPercent = 50; - }; - - services.openssh.hostKeys = [{ - path = "/etc/ssh/ssh_host_ed25519_key"; - type = "ed25519"; - }]; - users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE40ISu3ydCqfdpb26JYD5cIN0Fu0id/FDS+xjB5zpqu jetthomaspham@gmail.com" ]; diff --git a/flake.lock b/flake.lock index dd5aba2..af0d258 100644 --- a/flake.lock +++ b/flake.lock @@ -52,11 +52,11 @@ ] }, "locked": { - "lastModified": 1773506317, - "narHash": "sha256-qWKbLUJpavIpvOdX1fhHYm0WGerytFHRoh9lVck6Bh0=", + "lastModified": 1773025010, + "narHash": "sha256-khlHllTsovXgT2GZ0WxT4+RvuMjNeR5OW0UYeEHPYQo=", "owner": "nix-community", "repo": "disko", - "rev": "878ec37d6a8f52c6c801d0e2a2ad554c75b9353c", + "rev": "7b9f7f88ab3b339f8142dc246445abb3c370d3d3", "type": "github" }, "original": { @@ -88,11 +88,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1773389992, - "narHash": "sha256-wvfdLLWJ2I9oEpDd9PfMA8osfIZicoQ5MT1jIwNs9Tk=", + "lastModified": 1773282481, + "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c06b4ae3d6599a672a6210b7021d699c351eebda", + "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127", "type": "github" }, "original": { diff --git a/modules/hardening.nix b/modules/hardening.nix index ca324ff..9233354 100644 --- a/modules/hardening.nix +++ b/modules/hardening.nix @@ -35,11 +35,6 @@ enable = true; maxtime = "24h"; }; - ignoreIP = [ - "100.64.0.0/10" - "127.0.0.0/8" - "::1/128" - ]; }; # ── Kernel hardening ── @@ -84,4 +79,10 @@ services.avahi.enable = false; services.printing.enable = false; + # ── Automatic security updates ── + system.autoUpgrade = { + enable = true; + allowReboot = false; + dates = "04:00"; + }; } diff --git a/secrets/b2-account-id.age b/secrets/b2-account-id.age index 888d950..df8dbf5 100644 Binary files a/secrets/b2-account-id.age and b/secrets/b2-account-id.age differ diff --git a/secrets/b2-application-key.age b/secrets/b2-application-key.age index 7b70e85..f09294e 100644 --- a/secrets/b2-application-key.age +++ b/secrets/b2-application-key.age @@ -1,7 +1,7 @@ age-encryption.org/v1 --> ssh-ed25519 nN+I3Q pvBHHJ8gvyYbp4UC7m/ftbk0AsSqhger/w2V3VnD2B8 -5mkBZwujtIYxtI9uaSbbHvHqslW2zRqigWqA9DHNLBU --> ssh-ed25519 Ziw7aw MormurJwU7hFYfklN0G3AYJeG05fcfNP9P1uTL6woHQ -N8C5yyyJQJdf3vH7ym5/AkLyEr2MLRjxd5EG0B5OGto ---- t6FsZYSVfoqW8F9t4uIVqWajSV+eQ2t2VEC8Z3EJyIk -ߋ+cEH !\2󺇢X DDW#R \ No newline at end of file +-> ssh-ed25519 8KhtvA RPJwPm/DkUYfQlYSCa4s6KF5bV8ajDflEj+Gljgs1TI +aP54VuO6RYP/tLPIzOHDgRIKs1AirPu3zkYuvVamTjE +-> ssh-ed25519 Ziw7aw DHkTEHLtrhSuSoNuv9zS5kgeKth3NtjUj8IVBiBch1k +/P9kmTW0z3oTuBtd8wv+tfbBWP4Y1ObhPbwnLeCJO/U +--- 6OuUgwkLM+4RkVychG8IVWRb9es4WimS6KI6jxCyPn4 +'^x`WAN;zV`m7G7vc]`M#=ֵ#K \ No newline at end of file diff --git a/secrets/discord-bot-token.age b/secrets/discord-bot-token.age index eeb495c..7553626 100644 --- a/secrets/discord-bot-token.age +++ b/secrets/discord-bot-token.age @@ -1,7 +1,8 @@ age-encryption.org/v1 --> ssh-ed25519 nN+I3Q YmpwUlCii+a5JxJ7nYNJHRH/dqgabVrvRG4HAcDv80M -3G5MM3gJ0RBZQXz3WUetiXSSGEl2y+E1ZgyJ7Xp+bzg --> ssh-ed25519 Ziw7aw 566UvTX3i6TgwVI+R+4xZMKDk2taODC4eSazhwnXpWs -DlWnZMQuO2UQsji3NqB9hJf3a0U+3m8jrp6YOwyNVdc ---- x6e0Gj888fGWJ99j/Vr995EwdilrY+kIFCsq5CKNAkQ -)NCpcv51o\imFs( )7@2O_w [E[7ZKx,rI[ndmNc \ No newline at end of file +-> ssh-ed25519 8KhtvA 14QBStvnxOU5fDg/fBWu7Klun03DfblZhFV1vWn/u2w +0/rGOHyVCh7AG0HBMCw8XAKkvKmtDXk32zDZFRVI+aE +-> ssh-ed25519 Ziw7aw agcXQVvCtH88gSFhJH+g4vJDHFyqfMc7haOmqCWCtBs +ULjdXfTM1/3a6fXrqsH7rLPXCLOxT0DBbGnn5Y3znfo +--- rGogYk7dpYIqYP9Vg7oRu8ZghB0nYddMCpzz4GKCx0s +3b0 -j\>Cs.@&,%4fC1Eբ~ ȏͳ2۳b_2-*C~L͜=(QP+ +6 \ No newline at end of file diff --git a/secrets/grafana-admin-password.age b/secrets/grafana-admin-password.age index 69ce3c1..85b18a7 100644 Binary files a/secrets/grafana-admin-password.age and b/secrets/grafana-admin-password.age differ diff --git a/secrets/grafana-secret-key.age b/secrets/grafana-secret-key.age index a5e2b5c..99d92bc 100644 --- a/secrets/grafana-secret-key.age +++ b/secrets/grafana-secret-key.age @@ -1,7 +1,7 @@ age-encryption.org/v1 --> ssh-ed25519 nN+I3Q NoHPLxNkUs3bwE/lxtFJkHamKo4UwHa7rFhkUz5uZUM -KXs0AU1/wjd7yxnNRrQk8NNFD6XBZaNZNHLsT7hOLS8 --> ssh-ed25519 Ziw7aw exDf6HgFViw+HSsvdqHdeVty06Krk3ku6vFJJMwi93A -0S/vjoRdk+sYifgz/B3t7Nkd6JNtWsBoJzlAUP94cmw ---- UTKoNnzmxwtve3lSyyLP52iQA0LT94Fr5sRsuVNJ6Y0 -oR5xeaTQsy_Hgq3;)Hk㥏a7N' ssh-ed25519 8KhtvA HwJeI2xpphSyhSacAqEdmnzbJxNEuRN2sLv+sK0XqQI +11GS6HqXTQ0gksTZlJfVDwJ3PaLy1SD5D/J7QstK/bI +-> ssh-ed25519 Ziw7aw 5S4mq+b1VAaMrXZrUfYowGfU/wR6aSql3wVOsKnbJEQ +c+DAvSndUItpBbFR1ce/SfL2AthJ7fW8Sdq+vja6L+s +--- wSQ+PDx7FR4mDl9Cw4ah/CS2JujL7uP+9ZexfD8KfgI +}|dLXOR UU)ʒ'jgPpm xC BV@ґ->6ԟ&` \ No newline at end of file diff --git a/secrets/minecraft-seed.age b/secrets/minecraft-seed.age index 3fb1fae..450536e 100644 Binary files a/secrets/minecraft-seed.age and b/secrets/minecraft-seed.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 80dd680..6047b84 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,5 +1,5 @@ let - server = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEKa/qnwFfJkX6k3HhhytjW89er9DE9XThLc/DgphH6t"; + server = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP9y+1CHA9RxeeJrkIblRErPvWTeTrqdNlQjxuRgMXN2"; admin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE40ISu3ydCqfdpb26JYD5cIN0Fu0id/FDS+xjB5zpqu"; in { diff --git a/secrets/tailscale-auth-key.age b/secrets/tailscale-auth-key.age index ab1e6d8..8415d92 100644 Binary files a/secrets/tailscale-auth-key.age and b/secrets/tailscale-auth-key.age differ