kitten.sh / system
Personal Nix setup
fork atom

Tweak server configs

kitten.sh 93a45295 a750247b

options
unified split
Changed files
+18 -1
modules
router
timeserver.nix
server
sshd.nix
+17 -1
modules/router/timeserver.nix 
···

       
20

       
20

       
 

       
  config = mkIf cfg.timeserver.enable {


     

       
21

       
21

       
 

       
    networking.timeServers = [


     

       
22

       
22

       
 

       
      "time.cloudflare.com"


     

       
23

       

       
-

       
      "uk.pool.ntp.org"


     

       

       
23

       
+

       
      "ntppool1.time.nl"


     

       

       
24

       
+

       
      "ptbtime1.ptb.de"


     

       
24

       
25

       
 

       
    ];


     

       
25

       
26

       
 

       



     

       
26

       
27

       
 

       
    services.chrony = {


     

       
27

       
28

       
 

       
      enable = true;


     

       

       
29

       
+

       
      extraFlags = mkDefault [


     

       

       
30

       
+

       
        "-F 1" # seccomp filter


     

       

       
31

       
+

       
        "-r" # reload history on restart


     

       

       
32

       
+

       
      ];


     

       

       
33

       
+

       
      initstepslew.enabled = mkDefault false;


     

       

       
34

       
+

       
      enableRTCTrimming = mkDefault false;


     

       

       
35

       
+

       
      enableNTS = mkDefault true;


     

       
28

       
36

       
 

       
      extraConfig = ''


     

       

       
37

       
+

       
        minsources 3


     

       

       
38

       
+

       
        authselectmode require


     

       

       
39

       
+

       
        dscp 46


     

       

       
40

       
+

       
        makestep 1.0 3


     

       

       
41

       
+

       
        cmdport 0


     

       

       
42

       
+

       
        noclientlog


     

       

       
43

       
+

       
        ${strings.optionalString (!config.services.chrony.enableRTCTrimming) "rtcsync"}


     

       
29

       
44

       
 

       
        allow all


     

       
30

       
45

       
 

       
        ${bindDevices}


     

       
31

       
46

       
 

       
      '';


     

       
32

       
47

       
 

       
    };


     

       
33

       
48

       
 

       



     

       

       
49

       
+

       
    services.timesyncd.enable = false;


     

       
34

       
50

       
 

       
    services.ntp.enable = false;


     

       
35

       
51

       
 

       
    services.openntpd.enable = false;


     

       
36

       
52

       
 

       
  };
+1
modules/server/sshd.nix 
···

       
21

       
21

       
 

       
    services.openssh = {


     

       
22

       
22

       
 

       
      enable = true;


     

       
23

       
23

       
 

       
    } // helpers.linuxAttrs {


     

       

       
24

       
+

       
      settings.PermitRootLogin = mkDefault "no";


     

       
24

       
25

       
 

       
      openFirewall = mkDefault (!config.modules.router.enable);


     

       
25

       
26

       
 

       
      ports = [ 22 2222 ];


     

       
26

       
27

       
 

       
    };