From cd9835676d94c42e5e28e5b0332aced9a1bae8ec Mon Sep 17 00:00:00 2001 From: Atridad Lahiji Date: Fri, 19 Dec 2025 13:49:05 -0700 Subject: [PATCH] Security updates --- configuration.nix | 1 + modules/networking.nix | 15 +++++++++++---- modules/packages.nix | 5 ++++- modules/security.nix | 27 +++++++++++++++++++++++++++ modules/services.nix | 7 ++++++- 5 files changed, 49 insertions(+), 6 deletions(-) create mode 100644 modules/security.nix diff --git a/configuration.nix b/configuration.nix index 0261285..6ccb16a 100644 --- a/configuration.nix +++ b/configuration.nix @@ -14,6 +14,7 @@ ./modules/packages.nix ./modules/hardware.nix ./modules/services.nix + ./modules/security.nix ./modules/aliases.nix ]; diff --git a/modules/networking.nix b/modules/networking.nix index d947b88..43c85eb 100644 --- a/modules/networking.nix +++ b/modules/networking.nix @@ -6,10 +6,17 @@ in { networking.hostName = settings.hostname; - # Enable networking networking.networkmanager.enable = true; - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; + networking.firewall.enable = true; + + networking.firewall.allowedTCPPorts = [ + # Sunshine + 47984 47989 48010 + ]; + + networking.firewall.allowedUDPPorts = [ + # Sunshine + 47998 47999 48000 48010 + ]; } diff --git a/modules/packages.nix b/modules/packages.nix index 7c26317..0715e15 100644 --- a/modules/packages.nix +++ b/modules/packages.nix @@ -41,16 +41,19 @@ nodePackages."pnpm" openssl ffmpeg - beta.zed-editor + zed-editor usbutils qmk-udev-rules qmk ghostty + beta.dbeaver-bin + neofetch # Desktop applications bitwarden-desktop vlc streamrip + cider-2 zotero prismlauncher lrcget diff --git a/modules/security.nix b/modules/security.nix new file mode 100644 index 0000000..9d10c3b --- /dev/null +++ b/modules/security.nix @@ -0,0 +1,27 @@ +{ config, pkgs, ... }: + +{ + security.sudo.execWheelOnly = true; + + nix.settings.allowed-users = [ "@wheel" ]; + + security.apparmor.enable = true; + + security.audit.enable = true; + security.auditd.enable = true; + + services.fail2ban.enable = true; + + boot.kernel.sysctl = { + "kernel.dmesg_restrict" = 1; + "net.ipv4.conf.all.log_martians" = 1; + "net.ipv4.conf.default.log_martians" = 1; + "net.ipv4.icmp_echo_ignore_broadcasts" = 1; + "net.ipv4.conf.all.accept_redirects" = 0; + "net.ipv4.conf.default.accept_redirects" = 0; + "net.ipv6.conf.all.accept_redirects" = 0; + "net.ipv6.conf.default.accept_redirects" = 0; + "net.ipv4.conf.all.send_redirects" = 0; + "net.ipv4.conf.default.send_redirects" = 0; + }; +} diff --git a/modules/services.nix b/modules/services.nix index c2fa5a5..2bdcc30 100644 --- a/modules/services.nix +++ b/modules/services.nix @@ -2,7 +2,12 @@ { # Enable the OpenSSH daemon - services.openssh.enable = true; + services.openssh = { + enable = true; + settings = { + PermitRootLogin = "no"; + }; + }; # Tailscale services.tailscale.enable = true;