From 96e1951ecfa10bf0cea1ca79fa6202a1d0179d89 Mon Sep 17 00:00:00 2001
From: wi11-holdsworth <83637728+wi11-holdsworth@users.noreply.github.com>
Date: Wed, 22 Oct 2025 17:24:23 +1100
Subject: [PATCH 1/6] feat: enable firewall on all systems

---
 modules/nixos/features/network.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/nixos/features/network.nix b/modules/nixos/features/network.nix
index 5ea2774..ce2b3a9 100644
--- a/modules/nixos/features/network.nix
+++ b/modules/nixos/features/network.nix
@@ -6,5 +6,6 @@
   networking = {
     hostName = "${hostName}";
     networkmanager.enable = true;
+    firewall.enable = true;
   };
 }

From a62a9b6990de1d19c8793324d75a3dd3c20efa2a Mon Sep 17 00:00:00 2001
From: wi11-holdsworth <83637728+wi11-holdsworth@users.noreply.github.com>
Date: Wed, 22 Oct 2025 17:24:39 +1100
Subject: [PATCH 2/6] feat: confine sudo access to users with the wheel group
 only

---
 modules/nixos/features/sudo.nix | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 modules/nixos/features/sudo.nix

diff --git a/modules/nixos/features/sudo.nix b/modules/nixos/features/sudo.nix
new file mode 100644
index 0000000..78f1db5
--- /dev/null
+++ b/modules/nixos/features/sudo.nix
@@ -0,0 +1,6 @@
+{
+  ...
+}:
+{
+  security.sudo.execWheelOnly = true;
+}

From f4c10a0a0bf3676c564cd436c8283ac8d64d0335 Mon Sep 17 00:00:00 2001
From: wi11-holdsworth <83637728+wi11-holdsworth@users.noreply.github.com>
Date: Wed, 22 Oct 2025 17:26:30 +1100
Subject: [PATCH 3/6] refactor: combine nix-settings and nixpkgs modules into
 one nix module

---
 modules/nixos/default.nix                            | 3 +--
 modules/nixos/features/{nix-settings.nix => nix.nix} | 7 +++++++
 modules/nixos/features/nixpkgs.nix                   | 3 ---
 3 files changed, 8 insertions(+), 5 deletions(-)
 rename modules/nixos/features/{nix-settings.nix => nix.nix} (80%)
 delete mode 100644 modules/nixos/features/nixpkgs.nix

diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index 804f01d..e980470 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -13,8 +13,7 @@
     "localisation"
     "network"
     "nh"
-    "nix-settings"
-    "nixpkgs"
+    "nix"
     "nixvim"
     "syncthing"
     "systemd-boot"
diff --git a/modules/nixos/features/nix-settings.nix b/modules/nixos/features/nix.nix
similarity index 80%
rename from modules/nixos/features/nix-settings.nix
rename to modules/nixos/features/nix.nix
index eda2992..498861b 100644
--- a/modules/nixos/features/nix-settings.nix
+++ b/modules/nixos/features/nix.nix
@@ -1,4 +1,11 @@
 {
+  lib,
+  ...
+}:
+{
+  # allow packages with non-free licenses
+  nixpkgs.config.allowUnfree = true;
+
   nix = {
     gc = {
       automatic = true;
diff --git a/modules/nixos/features/nixpkgs.nix b/modules/nixos/features/nixpkgs.nix
deleted file mode 100644
index e95ec3c..0000000
--- a/modules/nixos/features/nixpkgs.nix
+++ /dev/null
@@ -1,3 +0,0 @@
-{
-  nixpkgs.config.allowUnfree = true;
-}

From ef927bcfda3984a89abcbc46af81b82a8a75c3aa Mon Sep 17 00:00:00 2001
From: wi11-holdsworth <83637728+wi11-holdsworth@users.noreply.github.com>
Date: Wed, 22 Oct 2025 17:28:30 +1100
Subject: [PATCH 4/6] feat: restrict nix package manager to wheel group

---
 modules/nixos/features/nix.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/nixos/features/nix.nix b/modules/nixos/features/nix.nix
index 498861b..ab6eca1 100644
--- a/modules/nixos/features/nix.nix
+++ b/modules/nixos/features/nix.nix
@@ -18,6 +18,7 @@
       persistent = true;
     };
     settings = {
+      allowed-users = [ "@wheel" ];
       experimental-features = [
         "nix-command"
         "flakes"

From 2652248bc3fc13741bb2d655c228a86b6bcf5a2b Mon Sep 17 00:00:00 2001
From: wi11-holdsworth <83637728+wi11-holdsworth@users.noreply.github.com>
Date: Wed, 22 Oct 2025 17:27:36 +1100
Subject: [PATCH 5/6] feat: rip out default packages

---
 modules/nixos/features/nix.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/modules/nixos/features/nix.nix b/modules/nixos/features/nix.nix
index ab6eca1..a73a504 100644
--- a/modules/nixos/features/nix.nix
+++ b/modules/nixos/features/nix.nix
@@ -3,6 +3,9 @@
   ...
 }:
 {
+  # rip out default packages
+  environment.defaultPackages = lib.mkForce [ ];
+
   # allow packages with non-free licenses
   nixpkgs.config.allowUnfree = true;
 

From 77225f2fa1f4f20ba41e0ad61a34864dc9ec8e60 Mon Sep 17 00:00:00 2001
From: wi11-holdsworth <83637728+wi11-holdsworth@users.noreply.github.com>
Date: Wed, 22 Oct 2025 17:28:44 +1100
Subject: [PATCH 6/6] feat: harden sshd on server

---
 hosts/server/configuration.nix | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix
index 0311fe3..8854a0d 100644
--- a/hosts/server/configuration.nix
+++ b/hosts/server/configuration.nix
@@ -25,7 +25,19 @@
 
   networking.hostName = "${hostName}";
 
-  services.openssh.enable = true;
+  # hardened openssh
+  services.openssh = {
+    passwordAuthentication = false;
+    allowSFTP = false; 
+    challengeResponseAuthentication = false;
+    extraConfig = ''
+      AllowTcpForwarding yes
+      X11Forwarding no
+      AllowAgentForwarding no
+      AllowStreamLocalForwarding no
+      AuthenticationMethods publickey
+    '';
+  };
 
   system.stateVersion = "24.11";