diff options
| author | Franck Cuny <franck@fcuny.net> | 2025-08-12 10:12:39 -0700 |
|---|---|---|
| committer | Franck Cuny <franck@fcuny.net> | 2025-08-12 10:12:39 -0700 |
| commit | 6adb943f580162ea6348e3910926fc2fcefcfa79 (patch) | |
| tree | d802fd738ffed6eaa508acfd5d0c98b38331fab5 | |
| parent | add a profile for boot (diff) | |
| download | infra-6adb943f580162ea6348e3910926fc2fcefcfa79.tar.gz | |
add profiles for security, firewalls, and users
| -rw-r--r-- | machines/nixos/x86_64-linux/do-rproxy/default.nix | 3 | ||||
| -rw-r--r-- | machines/nixos/x86_64-linux/synology-vm/default.nix | 3 | ||||
| -rw-r--r-- | profiles/core/security.nix | 4 | ||||
| -rw-r--r-- | profiles/core/users.nix | 4 | ||||
| -rw-r--r-- | profiles/default.nix | 4 | ||||
| -rw-r--r-- | profiles/network/firewall.nix | 10 | ||||
| -rw-r--r-- | profiles/server.nix | 11 |
7 files changed, 24 insertions, 15 deletions
diff --git a/machines/nixos/x86_64-linux/do-rproxy/default.nix b/machines/nixos/x86_64-linux/do-rproxy/default.nix index 7888843..f3906a1 100644 --- a/machines/nixos/x86_64-linux/do-rproxy/default.nix +++ b/machines/nixos/x86_64-linux/do-rproxy/default.nix @@ -27,9 +27,12 @@ "${self}/profiles/core/locale.nix" "${self}/profiles/core/ssh.nix" "${self}/profiles/core/tools.nix" + "${self}/profiles/core/security.nix" + "${self}/profiles/core/users.nix" "${self}/profiles/core/motd.nix" "${self}/profiles/nix/gc.nix" "${self}/profiles/network/networkd.nix" + "${self}/profiles/network/firewall.nix" "${self}/profiles/services/podman.nix" ]; diff --git a/machines/nixos/x86_64-linux/synology-vm/default.nix b/machines/nixos/x86_64-linux/synology-vm/default.nix index 820f1a7..a7d0aa1 100644 --- a/machines/nixos/x86_64-linux/synology-vm/default.nix +++ b/machines/nixos/x86_64-linux/synology-vm/default.nix @@ -41,9 +41,12 @@ "${self}/profiles/core/locale.nix" "${self}/profiles/core/ssh.nix" "${self}/profiles/core/tools.nix" + "${self}/profiles/core/security.nix" + "${self}/profiles/core/users.nix" "${self}/profiles/core/motd.nix" "${self}/profiles/nix/gc.nix" "${self}/profiles/network/networkd.nix" + "${self}/profiles/network/firewall.nix" "${self}/profiles/services/podman.nix" ]; diff --git a/profiles/core/security.nix b/profiles/core/security.nix new file mode 100644 index 0000000..146012f --- /dev/null +++ b/profiles/core/security.nix @@ -0,0 +1,4 @@ +{ ... }: +{ + security.sudo.wheelNeedsPassword = false; +} diff --git a/profiles/core/users.nix b/profiles/core/users.nix new file mode 100644 index 0000000..e0d8662 --- /dev/null +++ b/profiles/core/users.nix @@ -0,0 +1,4 @@ +{ ... }: +{ + users.mutableUsers = false; +} diff --git a/profiles/default.nix b/profiles/default.nix index 48da7b4..6d0af84 100644 --- a/profiles/default.nix +++ b/profiles/default.nix @@ -25,11 +25,7 @@ }; }; - ## only allow declarative user management - users.mutableUsers = false; - programs.fish.enable = true; - security.sudo.wheelNeedsPassword = false; ## disable that slow "building man-cache" step documentation.man.generateCaches = lib.mkForce false; diff --git a/profiles/network/firewall.nix b/profiles/network/firewall.nix new file mode 100644 index 0000000..1b30c84 --- /dev/null +++ b/profiles/network/firewall.nix @@ -0,0 +1,10 @@ +{ ... }: +{ + networking = { + firewall = { + enable = false; + allowPing = true; + logRefusedConnections = false; + }; + }; +} diff --git a/profiles/server.nix b/profiles/server.nix index 82a20c7..593dd44 100644 --- a/profiles/server.nix +++ b/profiles/server.nix @@ -2,19 +2,10 @@ ... }: { - imports = [ ./default.nix ]; - networking = { - firewall = { - enable = false; - allowPing = true; - logRefusedConnections = false; - }; - }; - # Used by systemd-resolved, not directly by resolv.conf. networking.nameservers = [ "8.8.8.8#dns.google" @@ -24,6 +15,4 @@ users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi" ]; - - networking.firewall.allowedTCPPorts = [ 22 ]; } |