From 8c472ce8007e0202f3cf69c2ea6d31f5383deace Mon Sep 17 00:00:00 2001 From: Sridhar Ratnakumar Date: Mon, 6 Sep 2021 12:44:38 -0400 Subject: [PATCH] harden --- .../devserver.nix} | 1 - features/server/harden.nix | 22 +++++++++++++++++++ .../{server-mode.nix => server/unlaptop.nix} | 0 flake.nix | 3 ++- hosts/ryzen9.nix | 22 ++----------------- 5 files changed, 26 insertions(+), 22 deletions(-) rename features/{devserver-mode.nix => server/devserver.nix} (99%) create mode 100644 features/server/harden.nix rename features/{server-mode.nix => server/unlaptop.nix} (100%) diff --git a/features/devserver-mode.nix b/features/server/devserver.nix similarity index 99% rename from features/devserver-mode.nix rename to features/server/devserver.nix index c67e6ec..e5f9d7c 100644 --- a/features/devserver-mode.nix +++ b/features/server/devserver.nix @@ -2,5 +2,4 @@ environment.systemPackages = with pkgs; [ nodejs-14_x # Need this for https://nixos.wiki/wiki/Vscode ]; - } diff --git a/features/server/harden.nix b/features/server/harden.nix new file mode 100644 index 0000000..b5e09cd --- /dev/null +++ b/features/server/harden.nix @@ -0,0 +1,22 @@ +{ pkgs, ... }: { + + networking.firewall.enable = true; + security.sudo.execWheelOnly = true; + security.auditd.enable = true; + security.audit.enable = true; + services = { + openssh = { + enable = true; + permitRootLogin = "prohibit-password"; # distributed-build.nix requires it + passwordAuthentication = false; + allowSFTP = false; + }; + fail2ban = { + enable = true; + ignoreIP = [ + # quebec + "70.53.187.43" + ]; + }; + }; +} diff --git a/features/server-mode.nix b/features/server/unlaptop.nix similarity index 100% rename from features/server-mode.nix rename to features/server/unlaptop.nix diff --git a/flake.nix b/flake.nix index 0d2e443..3546c84 100644 --- a/flake.nix +++ b/flake.nix @@ -82,7 +82,8 @@ nixosConfigurations.ryzen9 = mkHomeMachine ./hosts/ryzen9.nix [ - ./features/devserver-mode.nix + ./features/server/harden.nix + ./features/server/devserver.nix ]; }; diff --git a/hosts/ryzen9.nix b/hosts/ryzen9.nix index 7ca9bee..95392f8 100644 --- a/hosts/ryzen9.nix +++ b/hosts/ryzen9.nix @@ -106,25 +106,12 @@ extraOptions = '' experimental-features = nix-command flakes ''; + allowedUsers = [ "root" "srid" ]; trustedUsers = [ "root" "srid" ]; }; - services = { - openssh = { - enable = true; - permitRootLogin = "prohibit-password"; # distributed-build.nix requires it - passwordAuthentication = false; - }; - fail2ban = { - enable = true; - ignoreIP = [ - # quebec - "70.53.187.43" - ]; - }; - netdata.enable = true; - }; + services.netdata.enable = true; programs = { mosh.enable = true; @@ -139,11 +126,6 @@ isNormalUser = true; extraGroups = [ "wheel" "networkmanager" "adbusers" "audio" ]; }; - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - # networking.firewall.enable = false; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions