44 lines
1.1 KiB
Nix
44 lines
1.1 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
|
|
{
|
|
# memory allocator
|
|
# BREAKS REDIS-IMMICH
|
|
# environment.memoryAllocator.provider = "graphene-hardened";
|
|
|
|
# disable coredumps
|
|
systemd.coredump.enable = false;
|
|
|
|
# The hardened kernel defaults kernel.unprivileged_userns_clone to 0, which
|
|
# prevents the Nix sandbox from mapping UIDs/GIDs. Without this, any derivation
|
|
# that calls `id` in its build phase (e.g. logrotate checkPhase) fails when not
|
|
# served from the binary cache. See https://github.com/NixOS/nixpkgs/issues/287194
|
|
security.unprivilegedUsernsClone = true;
|
|
|
|
services = {
|
|
dbus.implementation = "broker";
|
|
/*
|
|
logrotate.enable = true;
|
|
journald = {
|
|
storage = "volatile"; # Store logs in memory
|
|
upload.enable = false; # Disable remote log upload (the default)
|
|
extraConfig = ''
|
|
SystemMaxUse=500M
|
|
SystemMaxFileSize=50M
|
|
'';
|
|
};
|
|
*/
|
|
};
|
|
|
|
services.fail2ban = {
|
|
enable = true;
|
|
# Use iptables actions for compatibility
|
|
banaction = "iptables-multiport";
|
|
banaction-allports = "iptables-allports";
|
|
};
|
|
}
|