jalr/nixos-configuration
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

System hardening

Browse source
This commit is contained in:
Jakob Lechner 2023-11-22 14:49:30 +00:00
parent 75a9e55876
commit 27c9d479b2
No known key found for this signature in database
GPG key ID: 996082EFB5906C10
8 changed files with 81 additions and 51 deletions
Download patch file Download diff file Expand all files Collapse all files

56
hosts/iron/configuration.nix
View file

@ -152,31 +152,37 @@ with lib; {
];
};
fileSystems = mkMerge (mapAttrsToList
(dataset: mountpoint: {
"${mountpoint}" = {
device = "${dataset}";
fsType = "zfs";
options = [ "X-mount.mkdir" "noatime" ];
neededForBoot = true;
};
})
datasets ++ map
(esp: {
"/boot/efis/${esp}" = {
device = "${devNodes}/${esp}";
fsType = "vfat";
options = [
"x-systemd.idle-timeout=1min"
"x-systemd.automount"
"noauto"
"nofail"
"noatime"
"X-mount.mkdir"
];
};
})
efiSystemPartitions);
fileSystems = mkMerge
(mapAttrsToList
(dataset: mountpoint: {
"${mountpoint}" = {
device = "${dataset}";
fsType = "zfs";
options = [ "X-mount.mkdir" "noatime" ];
neededForBoot = true;
};
})
datasets ++ map
(esp: {
"/boot/efis/${esp}" = {
device = "${devNodes}/${esp}";
fsType = "vfat";
options = [
"x-systemd.idle-timeout=1min"
"x-systemd.automount"
"noauto"
"nofail"
"noatime"
"X-mount.mkdir"
];
};
})
efiSystemPartitions) // {
"/proc" = {
device = "/proc";
options = [ "nosuid" "noexec" "nodev" "hidepid=2" ];
};
};
hardware.enableRedistributableFirmware = true;