more secure servers
This commit is contained in:
parent
fbf624a445
commit
37fa6c9f05
GPG key ID:
BECE5684D3C4005D
3 changed files with 27 additions and 1 deletions
20
modules/server.nix
Normal file
20
modules/server.nix
Normal file
|
|
@ -0,0 +1,20 @@
|
|||
# Most of this has been yoinked from nix-community/srvos, the only reason I'm
|
||||
# not using it is because I want absolute control over my nix settings and using
|
||||
# it would mean I would have to disable options that they enabled
|
||||
{
|
||||
# Given that our systems are headless, emergency mode is useless.
|
||||
# We prefer the system to attempt to continue booting so
|
||||
# that we can hopefully still access it remotely.
|
||||
systemd.enableEmergencyMode = false;
|
||||
|
||||
# No need for fonts on a server
|
||||
fonts.fontconfig.enable = false;
|
||||
|
||||
# Ensure that basic bugs in systemd services are caught.
|
||||
systemd.enableStrictShellChecks = true;
|
||||
|
||||
# Make builds to be more likely killed than important services.
|
||||
# 100 is the default for user slices and 500 is systemd-coredumpd@
|
||||
# We rather want a build to be killed than our precious user sessions as builds can be easily restarted.
|
||||
systemd.services.nix-daemon.serviceConfig.OOMScoreAdjust = 250;
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue