Add hardening module and enable firewall, auditd,

and fail2ban

modules/harden.nix

@@ -0,0 +1,23 @@
+{
+  networking.firewall.enable = true;
+
+  security.sudo.execWheelOnly = true;
+
+  security.sudo.wheelNeedsPassword = true;
+
+  security.auditd.enable = true;
+  security.audit.enable = true;
+
+  services = {
+    openssh = {
+      enable = true;
+      settings.PermitRootLogin = "no"; # distributed-build.nix requires it
+      settings.PasswordAuthentication = false;
+      allowSFTP = false;
+    };
+    fail2ban = {
+      enable = true;
+    };
+  };
+  nix.settings.allowed-users = [ "root" "@users" ];
+}

modules/system.nix

@@ -1,15 +1,9 @@
 { config, pkgs, ... }:
 
 {
-
   # Enable CUPS to print documents.
   services.printing.enable = true;
 
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  networking.firewall.enable = false;
-
   # Enable the OpenSSH daemon.
   services.openssh = {
     enable = true;
@@ -24,15 +18,19 @@
   # Allow unfree packages
   nixpkgs.config.allowUnfree = true;
 
+  # Add system packages
   environment.systemPackages = with pkgs; [
-    git
   ];
 
+  # Enable fish shell
+  programs.fish.enable = true;
+
   # Define a user account. Don't forget to set a password with ‘passwd’.
   users.users.panotaka = {
     isNormalUser = true;
     description = "panotaka";
     extraGroups = [ "networkmanager" "wheel" ];
+    shell = pkgs.fish;
     openssh.authorizedKeys.keys = [
     ];
   };