diff --git a/config/network.nix b/config/network.nix index dd56fdf..239dd8f 100644 --- a/config/network.nix +++ b/config/network.nix @@ -9,7 +9,14 @@ openssh = { enable = true; openFirewall = true; + + allowSFTP = false; + challengeResponseAuthentication = false; settings = { + AllowAgentForwarding = false; + AllowStreamLocalForwarding = false; + AllowTcpForwarding = true; + AuthenticationMethods = "publickey"; KexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" @@ -19,7 +26,7 @@ ]; PasswordAuthentication = false; PermitRootLogin = "prohibit-password"; - StreamLocalBindUnlink = "yes"; + X11Forwarding = false; }; }; }; diff --git a/config/nix.nix b/config/nix.nix index 0b98253..dbdde7d 100644 --- a/config/nix.nix +++ b/config/nix.nix @@ -7,10 +7,8 @@ "nix-command" "flakes" ]; - trusted-users = [ - "@wheel" - "winston" - ]; + allowed-users = [ "root" ]; + trusted-users = [ "root" ]; }; }; } diff --git a/flake.nix b/flake.nix index 0375786..ad10c78 100644 --- a/flake.nix +++ b/flake.nix @@ -22,8 +22,15 @@ modules = [ { nixpkgs = { - config.allowUnfree = true; inherit overlays; + config.allowUnfreePredicate = + pkg: + builtins.elem (nixpkgs.lib.getName pkg) [ + "elasticsearch" + "satisfactory-server" + "steamworks-sdk-redist" + "valheim-server" + ]; }; } ./hosts/main-node @@ -65,12 +72,10 @@ devShells.default = pkgs.mkShell { inherit (config.pre-commit.devShell) shellHook; - buildInputs = [ + packages = [ inputs'.agenix.packages.agenix pkgs.age-plugin-yubikey pkgs.unstable.deploy-rs - pkgs.unstable.nh - pkgs.unstable.nixd self'.formatter ]; }; diff --git a/modules/wakapi.nix b/modules/wakapi.nix index 136f514..4b97db7 100644 --- a/modules/wakapi.nix +++ b/modules/wakapi.nix @@ -30,6 +30,7 @@ let Group = "wakapi"; DynamicUser = true; + NoNewPrivileges = true; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true;