flakes/modules/system/security.nix

{ config, pkgs, ... }: {
  networking.firewall =
  let
    iptables = "${pkgs.iptables}/bin/iptables";
    genCmds = type: ''
      ${iptables} -${type} nixos-fw -p tcp --source 192.168.0.0/16 -j nixos-fw-accept ${if type == "D" then " || true" else ""}
      ${iptables} -${type} nixos-fw -p udp --source 192.168.0.0/16 -j nixos-fw-accept ${if type == "D" then " || true" else ""}
    '';
  in {
    enable = true;
    allowedUDPPortRanges = [ { from = 20000; to = 20100; } ];
    allowedTCPPortRanges = [ { from = 20000; to = 20100; } ];
    trustedInterfaces = [ "wg0" ];

    extraCommands = genCmds "I";
    extraStopCommands = genCmds "D";
  };

  services.openssh = {
    enable = true;
    settings = {
      PermitRootLogin = "no";
      PasswordAuthentication = false;
      X11Forwarding = true;
    };

    hostKeys = [
      {
        bits = 4096;
        path = "/persist/ssh_host_rsa_key";
        rounds = 100;
        type = "rsa";
      }
      {
        path = "/persist/ssh_host_ed25519_key";
        rounds = 100;
        type = "ed25519";
      }
    ];
  };

  security = {
    polkit.enable = true;
    sudo.enable = false;
    doas = {
      enable = true;
      extraRules = [
        {
          groups = [ "wheel" ];
          keepEnv = true;
          persist = true;
        }
      ];
    };
  };
}
a 2021-05-11 14:32:58 +07:00			`{ config, pkgs, ... }: {`
system/security: open firewall for local network 2023-09-04 12:28:19 +07:00			`networking.firewall =`
			`let`
			`iptables = "${pkgs.iptables}/bin/iptables";`
			`genCmds = type: ''`
			`${iptables} -${type} nixos-fw -p tcp --source 192.168.0.0/16 -j nixos-fw-accept ${if type == "D" then " \|\| true" else ""}`
			`${iptables} -${type} nixos-fw -p udp --source 192.168.0.0/16 -j nixos-fw-accept ${if type == "D" then " \|\| true" else ""}`
			`'';`
			`in {`
security: enable firewall 2021-09-20 13:42:43 +00:00			`enable = true;`
system/security: allow more firewall port ranges 2022-01-11 11:39:56 +07:00			`allowedUDPPortRanges = [ { from = 20000; to = 20100; } ];`
			`allowedTCPPortRanges = [ { from = 20000; to = 20100; } ];`
security: enable firewall 2021-09-20 13:42:43 +00:00			`trustedInterfaces = [ "wg0" ];`
system/security: open firewall for local network 2023-09-04 12:28:19 +07:00
			`extraCommands = genCmds "I";`
			`extraStopCommands = genCmds "D";`
security: enable firewall 2021-09-20 13:42:43 +00:00			`};`
disallow ssh root login and password auth 2021-07-15 08:39:09 +07:00
			`services.openssh = {`
			`enable = true;`
system/security: update config 2023-06-18 21:31:27 +07:00			`settings = {`
			`PermitRootLogin = "no";`
			`PasswordAuthentication = false;`
			`X11Forwarding = true;`
			`};`
security: set openssh.hostKeys 2021-09-20 18:40:15 +07:00
			`hostKeys = [`
			`{`
			`bits = 4096;`
treewide: persist rework 2022-08-09 15:17:30 +07:00			`path = "/persist/ssh_host_rsa_key";`
security: set openssh.hostKeys 2021-09-20 18:40:15 +07:00			`rounds = 100;`
			`type = "rsa";`
			`}`
			`{`
treewide: persist rework 2022-08-09 15:17:30 +07:00			`path = "/persist/ssh_host_ed25519_key";`
security: set openssh.hostKeys 2021-09-20 18:40:15 +07:00			`rounds = 100;`
			`type = "ed25519";`
			`}`
			`];`
disallow ssh root login and password auth 2021-07-15 08:39:09 +07:00			`};`
a 2021-05-11 14:32:58 +07:00
			`security = {`
			`polkit.enable = true;`
			`sudo.enable = false;`
			`doas = {`
			`enable = true;`
			`extraRules = [`
			`{`
formatting goes brrr 2021-07-15 19:57:49 +07:00			`groups = [ "wheel" ];`
a 2021-05-11 14:32:58 +07:00			`keepEnv = true;`
			`persist = true;`
			`}`
			`];`
			`};`
			`};`
			`}`