system/security: don't log refused connections

flake.lock

@@ -287,6 +287,27 @@
         "type": "github"
       }
     },
+    "home-manager-stable": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs-stable"
+        ]
+      },
+      "locked": {
+        "lastModified": 1706981411,
+        "narHash": "sha256-cLbLPTL1CDmETVh4p0nQtvoF+FSEjsnJTFpTxhXywhQ=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "652fda4ca6dafeb090943422c34ae9145787af37",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "release-23.11",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
     "home-manager_2": {
       "inputs": {
         "nixpkgs": [
@@ -507,6 +528,22 @@
         "type": "github"
       }
     },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1710283656,
+        "narHash": "sha256-nI+AOy4uK6jLGBi9nsbHjL1EdSIzoo8oa+9oeVhbyFc=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "51063ed4f2343a59fdeebb279bb81d87d453942b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-23.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs_2": {
       "locked": {
         "lastModified": 1705133751,
@@ -579,6 +616,7 @@
         "fast-syntax-highlighting": "fast-syntax-highlighting",
         "home-manager": "home-manager_2",
         "home-manager-raccoon": "home-manager-raccoon",
+        "home-manager-stable": "home-manager-stable",
         "hosts-blocklists": "hosts-blocklists",
         "linux-tkg": "linux-tkg",
         "neovim-nightly": "neovim-nightly",
@@ -587,6 +625,7 @@
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs_2",
         "nixpkgs-raccoon": "nixpkgs-raccoon",
+        "nixpkgs-stable": "nixpkgs-stable",
         "nvim-treesitter": "nvim-treesitter",
         "packwiz": "packwiz",
         "pure": "pure",

hosts/dandelion/default.nix

@@ -14,6 +14,8 @@
     security
     #wireguard
 
+    modules.services.postgres
+
     ./filesystem.nix
     ./kernel.nix
     ./networking.nix

hosts/dandelion/filesystem.nix

@@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, lib, ... }:
 let
   bind = src: {
     depends = [ "/nix" ];

modules/services/postgres.nix

@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 let
   dir = "/persist/postgresql/${config.services.postgresql.package.psqlSchema}";
   uid = toString config.ids.uids.postgres;
@@ -8,6 +8,7 @@ in {
   services.postgresql = {
     enable = true;
     dataDir = dir;
+    package = pkgs.postgresql_13;
     authentication = lib.mkOverride 10 ''
       #type  database  DBuser  origin-address      auth-method
       local  all       all                         trust

modules/system/security.nix

@@ -11,6 +11,7 @@
     allowedUDPPortRanges = [ { from = 20000; to = 20100; } ];
     allowedTCPPortRanges = [ { from = 20000; to = 20100; } ];
     trustedInterfaces = [ "wg0" ];
+    logRefusedConnections = false;
 
     extraCommands = genCmds "I";
     extraStopCommands = genCmds "D";

users/hana/default.nix

@@ -1,10 +1,11 @@
 { config, lib, modules, pkgs, ... }: {
+  programs.zsh.enable = true;
   users.users.hana = {
     isNormalUser = true;
     extraGroups = [ "wheel" ];
     shell = pkgs.zsh;
     uid = 1002;
-    hashedPassword = "$y$j9T$BxnsFaGwBfSKe4jAJaaxI.$cpFtu8fzFhKalIV3WGuA2jz4//KJBwhiybpnlmoZPy.";
+    hashedPassword = "$y$j9T$3xCNDudmfrIu5VfQQoDkj/$ugzJWq0gORN9jnhDsREu31CkL3zwniQu6KoLbmg6Wr/";
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPru5eTBvHJ4ZmrrzPRHCGM09wQP/ZHSaKYalDuBVO15 rin@blossom"
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ5l9t8dc6mPsKKYqZlPKvhOdyqz+DS5UOcvHuh3uVGt @strawberry"