From 6adb943f580162ea6348e3910926fc2fcefcfa79 Mon Sep 17 00:00:00 2001
From: Franck Cuny <franck@fcuny.net>
Date: Tue, 12 Aug 2025 10:12:39 -0700
Subject: add profiles for security, firewalls, and users

---
 profiles/core/security.nix    |  4 ++++
 profiles/core/users.nix       |  4 ++++
 profiles/default.nix          |  4 ----
 profiles/network/firewall.nix | 10 ++++++++++
 profiles/server.nix           | 11 -----------
 5 files changed, 18 insertions(+), 15 deletions(-)
 create mode 100644 profiles/core/security.nix
 create mode 100644 profiles/core/users.nix
 create mode 100644 profiles/network/firewall.nix

(limited to 'profiles')

diff --git a/profiles/core/security.nix b/profiles/core/security.nix
new file mode 100644
index 0000000..146012f
--- /dev/null
+++ b/profiles/core/security.nix
@@ -0,0 +1,4 @@
+{ ... }:
+{
+  security.sudo.wheelNeedsPassword = false;
+}
diff --git a/profiles/core/users.nix b/profiles/core/users.nix
new file mode 100644
index 0000000..e0d8662
--- /dev/null
+++ b/profiles/core/users.nix
@@ -0,0 +1,4 @@
+{ ... }:
+{
+  users.mutableUsers = false;
+}
diff --git a/profiles/default.nix b/profiles/default.nix
index 48da7b4..6d0af84 100644
--- a/profiles/default.nix
+++ b/profiles/default.nix
@@ -25,11 +25,7 @@
     };
   };
 
-  ## only allow declarative user management
-  users.mutableUsers = false;
-
   programs.fish.enable = true;
-  security.sudo.wheelNeedsPassword = false;
 
   ## disable that slow "building man-cache" step
   documentation.man.generateCaches = lib.mkForce false;
diff --git a/profiles/network/firewall.nix b/profiles/network/firewall.nix
new file mode 100644
index 0000000..1b30c84
--- /dev/null
+++ b/profiles/network/firewall.nix
@@ -0,0 +1,10 @@
+{ ... }:
+{
+  networking = {
+    firewall = {
+      enable = false;
+      allowPing = true;
+      logRefusedConnections = false;
+    };
+  };
+}
diff --git a/profiles/server.nix b/profiles/server.nix
index 82a20c7..593dd44 100644
--- a/profiles/server.nix
+++ b/profiles/server.nix
@@ -2,19 +2,10 @@
   ...
 }:
 {
-
   imports = [
     ./default.nix
   ];
 
-  networking = {
-    firewall = {
-      enable = false;
-      allowPing = true;
-      logRefusedConnections = false;
-    };
-  };
-
   # Used by systemd-resolved, not directly by resolv.conf.
   networking.nameservers = [
     "8.8.8.8#dns.google"
@@ -24,6 +15,4 @@
   users.users.root.openssh.authorizedKeys.keys = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"
   ];
-
-  networking.firewall.allowedTCPPorts = [ 22 ];
 }
-- 
cgit v1.2.3