diff --git a/flake.lock b/flake.lock index 40f7dcf..2265532 100644 --- a/flake.lock +++ b/flake.lock @@ -23,11 +23,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1710806803, - "narHash": "sha256-qrxvLS888pNJFwJdK+hf1wpRCSQcqA6W5+Ox202NDa0=", + "lastModified": 1711001935, + "narHash": "sha256-URtGpHue7HHZK0mrHnSf8wJ6OmMKYSsoLmJybrOLFSQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b06025f1533a1e07b6db3e75151caa155d1c7eb3", + "rev": "20f77aa09916374aa3141cbc605c955626762c9a", "type": "github" }, "original": { diff --git a/modules/base-tools.nix b/modules/base-tools.nix index c23ce4b..9c26984 100644 --- a/modules/base-tools.nix +++ b/modules/base-tools.nix @@ -33,5 +33,6 @@ # added in nixos sysz iftop - ] ++ (if pkgs ? "cert-viewer" then [ pkgs.cert-viewer ] else []); + cert-viewer + ]; } diff --git a/modules/defaults/base/sshd.nix b/modules/defaults/base/sshd.nix index 4a922d5..1242a54 100644 --- a/modules/defaults/base/sshd.nix +++ b/modules/defaults/base/sshd.nix @@ -13,5 +13,10 @@ with lib; UseDns = false; UsePAM = mkDefault true; }; + + # https://gitlab.com/gitlab-org/gitlab-foss/-/blob/master/doc/user/gitlab_com/index.md#ssh-host-keys-fingerprints + knownHosts."gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf"; + # https://github.blog/2021-09-01-improving-git-protocol-security-github/#new-host-keys + knownHosts."github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl"; }; } diff --git a/modules/defaults/misc.nix b/modules/defaults/misc.nix index 4781203..97e727f 100644 --- a/modules/defaults/misc.nix +++ b/modules/defaults/misc.nix @@ -2,12 +2,14 @@ security.sudo.enable = false; users.mutableUsers = false; networking.useDHCP = true; + boot.initrd.systemd.enable = true; # todo: su exec only possible in root group # firewall networking.firewall.enable = true; networking.nftables.enable = true; + networking.nftables.flushRuleset = false; # lock-out protection networking.firewall.allowedTCPPorts = [ 22 ];