felixalb/pvv-nixos-config
1
0
Fork 0
mirror of https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git synced 2026-05-21 05:51:12 +02:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: felixalb:0d7f05e56d6b96402889f15a4c3ee98698396500
Branches Tags
felixalb:main felixalb:ildkule-sops felixalb:hashed-initial-deploy-root-password felixalb:userweb-sendmail-proxy felixalb:bicep-garage-test-deployment felixalb:bicep-revival felixalb:drumknotty felixalb:fmt felixalb:errorpages felixalb:PVVtheme2026 felixalb:dagali-heimdal-openldap-sasl-stack felixalb:skrot-new-thing felixalb:loginpage felixalb:temmie-userweb felixalb:gitea-robots-txt felixalb:kommode-disko felixalb:skrott-cross-compile felixalb:nettsiden-postgresql felixalb:gitea-vaskepersonalet felixalb:create-flake-input-exporter felixalb:gitea-runners-secrets felixalb:nom felixalb:add-skrott felixalb:pvvvvv felixalb:gitea-show-license-in-list-view felixalb:backup-databases felixalb:openwebui felixalb:setup-openvpn-tunnel felixalb:gitea-gpg-signing felixalb:sleipner-authorised-keys felixalb:openstack-image-builder felixalb:elysium felixalb:smartd-notifs felixalb:systemd-journald-remote felixalb:skrot felixalb:deploy-doorbell felixalb:misc-gitea-fixes felixalb:spotifyd felixalb:remote felixalb:setup-bikkje-login felixalb:ozai-prod felixalb:add-bluemap felixalb:ozai felixalb:setup-postfix-for-service-machines felixalb:fix-gitea-ci-runner-network-issues felixalb:heimdal-openldap-sasl-testing-on-salsa-on-buskerud felixalb:gitea-metrics felixalb:misc1 felixalb:add-simple-saml-theme felixalb:misc-extra-gitea-setup felixalb:setup-kerberos felixalb:setup-home-areas felixalb:shark-kanidm felixalb:prometheusexim
..
compare: felixalb:ecc4417e0f21876690278ba66c651809b123feeb
Branches Tags
felixalb:main felixalb:ildkule-sops felixalb:hashed-initial-deploy-root-password felixalb:userweb-sendmail-proxy felixalb:bicep-garage-test-deployment felixalb:bicep-revival felixalb:drumknotty felixalb:fmt felixalb:errorpages felixalb:PVVtheme2026 felixalb:dagali-heimdal-openldap-sasl-stack felixalb:skrot-new-thing felixalb:loginpage felixalb:temmie-userweb felixalb:gitea-robots-txt felixalb:kommode-disko felixalb:skrott-cross-compile felixalb:nettsiden-postgresql felixalb:gitea-vaskepersonalet felixalb:create-flake-input-exporter felixalb:gitea-runners-secrets felixalb:nom felixalb:add-skrott felixalb:pvvvvv felixalb:gitea-show-license-in-list-view felixalb:backup-databases felixalb:openwebui felixalb:setup-openvpn-tunnel felixalb:gitea-gpg-signing felixalb:sleipner-authorised-keys felixalb:openstack-image-builder felixalb:elysium felixalb:smartd-notifs felixalb:systemd-journald-remote felixalb:skrot felixalb:deploy-doorbell felixalb:misc-gitea-fixes felixalb:spotifyd felixalb:remote felixalb:setup-bikkje-login felixalb:ozai-prod felixalb:add-bluemap felixalb:ozai felixalb:setup-postfix-for-service-machines felixalb:fix-gitea-ci-runner-network-issues felixalb:heimdal-openldap-sasl-testing-on-salsa-on-buskerud felixalb:gitea-metrics felixalb:misc1 felixalb:add-simple-saml-theme felixalb:misc-extra-gitea-setup felixalb:setup-kerberos felixalb:setup-home-areas felixalb:shark-kanidm felixalb:prometheusexim

2 Commits
0d7f05e56d ... ecc4417e0f

Author SHA1 Message Date
h7x4
ecc4417e0f base/hardening: ban a few more modules 2026-05-20 16:33:55 +09:00
h7x4
ffce1bd607 base/mitigations: blacklist modules for copyfail and pintheft 2026-05-20 16:33:55 +09:00
4 changed files with 5 additions and 57 deletions
Expand all files Collapse all files

12
base/mitigations.nix
View File

@@ -1,6 +1,7 @@
{ pkgs, lib, ... }: { ... }:
let
modulesToBan = [ {
boot.blacklistedKernelModules = [
# copy.fail # copy.fail
"af_alg" "af_alg"
"algif_aead" "algif_aead"
@@ -16,9 +17,4 @@ let
# PinTheft # PinTheft
"rds" "rds"
]; ];
in
{
boot.blacklistedKernelModules = modulesToBan;
boot.extraModprobeConfig = lib.concatMapStringsSep "\n" (mod: "install ${mod} ${lib.getExe' pkgs.coreutils "false"}") modulesToBan;
} }

7
hosts/bicep/services/matrix/livekit.nix
View File

@@ -64,11 +64,4 @@ in
''; '';
}; };
}; };
networking.firewall.allowedUDPPortRanges = [
{
from = cfg.settings.rtc.port_range_start;
to = cfg.settings.rtc.port_range_end;
}
];
} }

37
hosts/bicep/services/postgresql/cleanup-timers.nix
View File

@@ -1,37 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.postgresql;
in
{
config = lib.mkIf cfg.enable {
systemd.services = {
postgresql-repack = {
requires = [ "postgresql.service" ];
after = [ "postgresql.target" ];
description = "Repack all PostgreSQL databases";
startAt = "Mon 06:00:00";
serviceConfig = {
Type = "oneshot";
User = "postgres";
Group = "postgres";
ExecStart = "${lib.getExe cfg.package.pkgs.pg_repack} --port=${builtins.toString cfg.settings.port} --all";
};
};
postgresql-vacuum-analyze = {
requires = [ "postgresql.service" ];
after = [ "postgresql.target" ];
description = "Vacuum and analyze all PostgreSQL databases";
startAt = "Tue 06:00:00";
serviceConfig = {
Type = "oneshot";
User = "postgres";
Group = "postgres";
ExecStart = "${lib.getExe' cfg.package "psql"} --port=${builtins.toString cfg.settings.port} -tAc 'VACUUM ANALYZE'";
};
};
};
};
}

6
hosts/bicep/services/postgresql/default.nix
View File

@@ -3,15 +3,11 @@ let
cfg = config.services.postgresql; cfg = config.services.postgresql;
in in
{ {
imports = [ imports = [ ./backup.nix ];
./backup.nix
./cleanup-timers.nix
];
services.postgresql = { services.postgresql = {
enable = true; enable = true;
package = pkgs.postgresql_18; package = pkgs.postgresql_18;
extensions = ps: with ps; [ pg_repack ];
enableTCPIP = true; enableTCPIP = true;
authentication = '' authentication = ''