atridad/lavitz
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security updates

Browse Source
This commit is contained in:
Atridad Lahiji
2025-12-19 13:49:05 -07:00
parent b1447f1ef5
commit cd9835676d
5 changed files with 49 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
configuration.nix
View File

@@ -14,6 +14,7 @@
./modules/packages.nix ./modules/packages.nix
./modules/hardware.nix ./modules/hardware.nix
./modules/services.nix ./modules/services.nix
./modules/security.nix
./modules/aliases.nix ./modules/aliases.nix
]; ];

15
modules/networking.nix
View File

@@ -6,10 +6,17 @@ in
{ {
networking.hostName = settings.hostname; networking.hostName = settings.hostname;
# Enable networking
networking.networkmanager.enable = true; networking.networkmanager.enable = true;
# Open ports in the firewall. networking.firewall.enable = true;
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ]; networking.firewall.allowedTCPPorts = [
# Sunshine
47984 47989 48010
];
networking.firewall.allowedUDPPorts = [
# Sunshine
47998 47999 48000 48010
];
} }

5
modules/packages.nix
View File

@@ -41,16 +41,19 @@
nodePackages."pnpm" nodePackages."pnpm"
openssl openssl
ffmpeg ffmpeg
beta.zed-editor zed-editor
usbutils usbutils
qmk-udev-rules qmk-udev-rules
qmk qmk
ghostty ghostty
beta.dbeaver-bin
neofetch
# Desktop applications # Desktop applications
bitwarden-desktop bitwarden-desktop
vlc vlc
streamrip streamrip
cider-2
zotero zotero
prismlauncher prismlauncher
lrcget lrcget

27
modules/security.nix Normal file
View File

@@ -0,0 +1,27 @@
{ config, pkgs, ... }:
{
security.sudo.execWheelOnly = true;
nix.settings.allowed-users = [ "@wheel" ];
security.apparmor.enable = true;
security.audit.enable = true;
security.auditd.enable = true;
services.fail2ban.enable = true;
boot.kernel.sysctl = {
"kernel.dmesg_restrict" = 1;
"net.ipv4.conf.all.log_martians" = 1;
"net.ipv4.conf.default.log_martians" = 1;
"net.ipv4.icmp_echo_ignore_broadcasts" = 1;
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0;
};
}

7
modules/services.nix
View File

@@ -2,7 +2,12 @@
{ {
# Enable the OpenSSH daemon # Enable the OpenSSH daemon
services.openssh.enable = true; services.openssh = {
enable = true;
settings = {
PermitRootLogin = "no";
};
};
# Tailscale # Tailscale
services.tailscale.enable = true; services.tailscale.enable = true;