more secure servers

flake.nix

@@ -18,6 +18,7 @@
       # I've put these all here so that it's easier to see what's being
       # imported by default
       ./modules/os.nix
+      ./modules/server.nix
       ./modules/ssh.nix
       ./modules/time.nix
       ./modules/pkgs.nix

modules/server.nix

@@ -0,0 +1,20 @@
+# Most of this has been yoinked from nix-community/srvos, the only reason I'm
+# not using it is because I want absolute control over my nix settings and using
+# it would mean I would have to disable options that they enabled
+{
+  # Given that our systems are headless, emergency mode is useless.
+  # We prefer the system to attempt to continue booting so
+  # that we can hopefully still access it remotely.
+  systemd.enableEmergencyMode = false;
+
+  # No need for fonts on a server
+  fonts.fontconfig.enable = false;
+
+  # Ensure that basic bugs in systemd services are caught.
+  systemd.enableStrictShellChecks = true;
+
+  # Make builds to be more likely killed than important services.
+  # 100 is the default for user slices and 500 is systemd-coredumpd@
+  # We rather want a build to be killed than our precious user sessions as builds can be easily restarted.
+  systemd.services.nix-daemon.serviceConfig.OOMScoreAdjust = 250;
+}

modules/ssh.nix

@@ -20,7 +20,12 @@
     services.sshguard.enable = true;
     services.openssh = {
       enable = true;
-      settings.PasswordAuthentication = false;
+      settings = {
+        KbdInteractiveAuthentication = false;
+        PasswordAuthentication = false;
+        UseDns = false;
+        X11Forwarding = false;
+      };
     };
 
     users.users.root.openssh.authorizedKeys.keys = config.ssh.keys;