Noratrieb/vps
1
0
Fork 0
mirror of https://github.com/Noratrieb/vps.git synced 2026-01-14 16:55:00 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

update

Browse source
This commit is contained in:
nora 2025-12-28 18:43:32 +01:00
parent 413dfef394
commit 9015d6ebab
3 changed files with 54 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

17
nix/apps/does-it-build/default.nix
View file

@ -49,6 +49,23 @@ in
]; ];
# GITHUB_APP_PRIVATE_KEY=-----BEGIN RSA PRIVATE KEY-----... # GITHUB_APP_PRIVATE_KEY=-----BEGIN RSA PRIVATE KEY-----...
EnvironmentFile = [ config.age.secrets.does_it_build_private_key.path ]; EnvironmentFile = [ config.age.secrets.does_it_build_private_key.path ];
ProtectHome = true;
StateDirectory = "does-it-build";
ProtectSystem = "strict";
PrivateTmp = true;
RemoveIPC = true;
NoNewPrivileges = true;
PrivateDevices = true;
ProtectClock = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
PrivateMounts = true;
RestrictNamespaces = "";
RestrictSUIDSGID = true;
ProtectHostname = true;
}; };
}; };

34
nix/modules/default/default.nix
View file

@ -60,6 +60,7 @@ in
settings = { settings = {
PasswordAuthentication = false; PasswordAuthentication = false;
AllowUsers = [ "root" ];
}; };
}; };
services.fail2ban = { services.fail2ban = {
@ -79,6 +80,22 @@ in
"PRETENSE_PORTS=23,3306,5432,1521" # telnet,mysql,postgres,oracle "PRETENSE_PORTS=23,3306,5432,1521" # telnet,mysql,postgres,oracle
"PRETENSE_METRICS_PORT=9150" "PRETENSE_METRICS_PORT=9150"
]; ];
PrivateDevices = true;
ProtectHome = true;
ProtectClock = true;
ProtectKernelLogs = true;
ProtectHostname = true;
ProtectKernelTunables = true;
CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
ProtectProc = "ptraceable";
RestrictNamespaces = true;
MemoryDenyWriteExecute = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
SystemCallArchitectures = "";
SystemCallFilter = "@system-service";
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
ProtectSystem = "strict";
}; };
}; };
systemd.services.quotdd = { systemd.services.quotdd = {
@ -90,6 +107,23 @@ in
ExecStart = "${lib.getExe (quotdd {inherit pkgs;})}"; ExecStart = "${lib.getExe (quotdd {inherit pkgs;})}";
AmbientCapabilities = "CAP_NET_BIND_SERVICE"; AmbientCapabilities = "CAP_NET_BIND_SERVICE";
Environment = [ ]; Environment = [ ];
PrivateDevices = true;
ProtectHome = true;
ProtectClock = true;
ProtectKernelLogs = true;
ProtectHostname = true;
ProtectKernelTunables = true;
CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
ProtectProc = "ptraceable";
RestrictNamespaces = true;
MemoryDenyWriteExecute = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
SystemCallArchitectures = "";
SystemCallFilter = "@system-service";
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
ProtectSystem = "strict";
}; };
}; };
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [

6
nix/my-projects.json
View file

@ -18,12 +18,12 @@
} }
}, },
"does-it-build": { "does-it-build": {
"commit": "d15a7465584b5e90dc19126cc3d097683d055a63", "commit": "3a1695c554d8f07aac47a11f516ff65db7420ca6",
"fetchFromGitHub": { "fetchFromGitHub": {
"owner": "Noratrieb", "owner": "Noratrieb",
"repo": "does-it-build", "repo": "does-it-build",
"rev": "d15a7465584b5e90dc19126cc3d097683d055a63", "rev": "3a1695c554d8f07aac47a11f516ff65db7420ca6",
"hash": "sha256-UC+uy7Ba+VAXeBplIblrYptoI2ORsnL+U64BNGUR7CY=" "hash": "sha256-n7rTR3VrPt0x7QfzRnOHSxb4gSfMj4rA9kZD1RTYTWY="
} }
}, },
"upload.files.noratrieb.dev": { "upload.files.noratrieb.dev": {