feat: add ssh guard

2024-02-04 12:52:53 -05:00 · 2024-02-04 12:52:53 -05:00 · d655186dc0
commit d655186dc0
parent 1b98ea698d
5 changed files with 30 additions and 0 deletions
--- a/hosts/candlekeep/sysctl.nix
+++ b/hosts/candlekeep/sysctl.nix
@ -0,0 +1,7 @@
+{lib, ...}: {
+  boot.kernel.sysctl = {
+    # disable unprivileged user namespaces to decrease attack surface
+    # Enabled because breaks discord/element etc
+    "kernel.unprivileged_userns_clone" = lib.mkForce 1;
+  };
+}