Add hardening module and enable firewall, auditd,

and fail2ban
2023-12-05 23:27:01 -04:00
parent 2bc5ed92e1
commit 1c6a99e5fb
3 changed files with 29 additions and 7 deletions
--- a/modules/harden.nix
+++ b/modules/harden.nix
@@ -0,0 +1,23 @@
+{
+  networking.firewall.enable = true;
+
+  security.sudo.execWheelOnly = true;
+
+  security.sudo.wheelNeedsPassword = true;
+
+  security.auditd.enable = true;
+  security.audit.enable = true;
+
+  services = {
+    openssh = {
+      enable = true;
+      settings.PermitRootLogin = "no"; # distributed-build.nix requires it
+      settings.PasswordAuthentication = false;
+      allowSFTP = false;
+    };
+    fail2ban = {
+      enable = true;
+    };
+  };
+  nix.settings.allowed-users = [ "root" "@users" ];
+}