base: sshd defaults, cert-viewer, other defaults, upgrade deps

mgit-at · Mar 22, 2024 · 7ec7e54 · 7ec7e54
1 parent 7e937a7
commit 7ec7e54
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 4 deletions.
diff --git a/flake.lock b/flake.lock
diff --git a/modules/base-tools.nix b/modules/base-tools.nix
@@ -33,5 +33,6 @@
     # added in nixos
     sysz
     iftop
-  ] ++ (if pkgs ? "cert-viewer" then [ pkgs.cert-viewer ] else []);
+    cert-viewer
+  ];
 }
diff --git a/modules/defaults/base/sshd.nix b/modules/defaults/base/sshd.nix
@@ -13,5 +13,10 @@ with lib;
       UseDns = false;
       UsePAM = mkDefault true;
     };
+
+    # https://gitlab.com/gitlab-org/gitlab-foss/-/blob/master/doc/user/gitlab_com/index.md#ssh-host-keys-fingerprints
+    knownHosts."gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
+    # https://github.blog/2021-09-01-improving-git-protocol-security-github/#new-host-keys
+    knownHosts."github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
   };
 }
diff --git a/modules/defaults/misc.nix b/modules/defaults/misc.nix
@@ -2,12 +2,14 @@
   security.sudo.enable = false;
   users.mutableUsers = false;
   networking.useDHCP = true;
+  boot.initrd.systemd.enable = true;
 
   # todo: su exec only possible in root group
 
   # firewall
   networking.firewall.enable = true;
   networking.nftables.enable = true;
+  networking.nftables.flushRuleset = false;
 
   # lock-out protection
   networking.firewall.allowedTCPPorts = [ 22 ];