harden

2025-12-26 23:14:57 +08:00 · 2021-09-06 12:44:38 -04:00 · 2021-09-06 12:44:38 -04:00 · 8c472ce800
commit 8c472ce800
parent 2477aad59a
5 changed files with 26 additions and 22 deletions
--- a/features/server/devserver.nix
+++ b/features/server/devserver.nix
@ -2,5 +2,4 @@
  environment.systemPackages = with pkgs; [
    nodejs-14_x # Need this for https://nixos.wiki/wiki/Vscode
  ];
-
 }
--- a/features/server/harden.nix
+++ b/features/server/harden.nix
@ -0,0 +1,22 @@
+{ pkgs, ... }: {
+
+  networking.firewall.enable = true;
+  security.sudo.execWheelOnly = true;
+  security.auditd.enable = true;
+  security.audit.enable = true;
+  services = {
+    openssh = {
+      enable = true;
+      permitRootLogin = "prohibit-password"; # distributed-build.nix requires it
+      passwordAuthentication = false;
+      allowSFTP = false;
+    };
+    fail2ban = {
+      enable = true;
+      ignoreIP = [
+        # quebec
+        "70.53.187.43"
+      ];
+    };
+  };
+}
--- a/features/server/unlaptop.nix
+++ b/features/server/unlaptop.nix
--- a/flake.nix
+++ b/flake.nix
@ -82,7 +82,8 @@
        nixosConfigurations.ryzen9 = mkHomeMachine
          ./hosts/ryzen9.nix
          [
-            ./features/devserver-mode.nix
+            ./features/server/harden.nix
+            ./features/server/devserver.nix
          ];
      };

--- a/hosts/ryzen9.nix
+++ b/hosts/ryzen9.nix
@ -106,25 +106,12 @@
    extraOptions = ''
      experimental-features = nix-command flakes
    '';
+    allowedUsers = [ "root" "srid" ];
    trustedUsers = [ "root" "srid" ];
  };

-  services = {
-    openssh = {
-      enable = true;
-      permitRootLogin = "prohibit-password"; # distributed-build.nix requires it
-      passwordAuthentication = false;
-    };
-    fail2ban = {
-      enable = true;
-      ignoreIP = [
-        # quebec
-        "70.53.187.43"
-      ];
-    };

-    netdata.enable = true;
-  };
+  services.netdata.enable = true;

  programs = {
    mosh.enable = true;
@ -139,11 +126,6 @@
    isNormalUser = true;
    extraGroups = [ "wheel" "networkmanager" "adbusers" "audio" ];
  };
-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  # networking.firewall.enable = false;

  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions