Security updates

2025-12-19 13:49:05 -07:00
parent b1447f1ef5
commit cd9835676d
5 changed files with 49 additions and 6 deletions
--- a/configuration.nix
+++ b/configuration.nix
@@ -14,6 +14,7 @@
    ./modules/packages.nix
    ./modules/hardware.nix
    ./modules/services.nix
+    ./modules/security.nix
    ./modules/aliases.nix
  ];

--- a/modules/networking.nix
+++ b/modules/networking.nix
@@ -6,10 +6,17 @@ in
 {
  networking.hostName = settings.hostname;

-  # Enable networking
  networking.networkmanager.enable = true;

-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
+  networking.firewall.enable = true;
+
+  networking.firewall.allowedTCPPorts = [ 
+    # Sunshine
+    47984 47989 48010 
+  ];
+
+  networking.firewall.allowedUDPPorts = [ 
+    # Sunshine
+    47998 47999 48000 48010 
+  ];
 }
--- a/modules/packages.nix
+++ b/modules/packages.nix
@@ -41,16 +41,19 @@
      nodePackages."pnpm"
      openssl
      ffmpeg
-      beta.zed-editor
+      zed-editor
      usbutils
      qmk-udev-rules
      qmk
      ghostty
+      beta.dbeaver-bin
+      neofetch

      # Desktop applications
      bitwarden-desktop
      vlc
      streamrip
+      cider-2
      zotero
      prismlauncher
      lrcget
--- a/modules/security.nix
+++ b/modules/security.nix
@@ -0,0 +1,27 @@
+{ config, pkgs, ... }:
+
+{
+  security.sudo.execWheelOnly = true;
+  
+  nix.settings.allowed-users = [ "@wheel" ];
+
+  security.apparmor.enable = true;
+
+  security.audit.enable = true;
+  security.auditd.enable = true;
+
+  services.fail2ban.enable = true;
+
+  boot.kernel.sysctl = {
+    "kernel.dmesg_restrict" = 1;
+    "net.ipv4.conf.all.log_martians" = 1;
+    "net.ipv4.conf.default.log_martians" = 1;
+    "net.ipv4.icmp_echo_ignore_broadcasts" = 1;
+    "net.ipv4.conf.all.accept_redirects" = 0;
+    "net.ipv4.conf.default.accept_redirects" = 0;
+    "net.ipv6.conf.all.accept_redirects" = 0;
+    "net.ipv6.conf.default.accept_redirects" = 0;
+    "net.ipv4.conf.all.send_redirects" = 0;
+    "net.ipv4.conf.default.send_redirects" = 0;
+  };
+}
--- a/modules/services.nix
+++ b/modules/services.nix
@@ -2,7 +2,12 @@

 {
  # Enable the OpenSSH daemon
-  services.openssh.enable = true;
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = "no";
+    };
+  };

  # Tailscale
  services.tailscale.enable = true;