Merge pull request #44 from wi11-holdsworth/enhancement/37

enhancement/37

hosts/server/configuration.nix

@@ -25,7 +25,19 @@
 
   networking.hostName = "${hostName}";
 
-  services.openssh.enable = true;
+  # hardened openssh
+  services.openssh = {
+    passwordAuthentication = false;
+    allowSFTP = false; 
+    challengeResponseAuthentication = false;
+    extraConfig = ''
+      AllowTcpForwarding yes
+      X11Forwarding no
+      AllowAgentForwarding no
+      AllowStreamLocalForwarding no
+      AuthenticationMethods publickey
+    '';
+  };
 
   system.stateVersion = "24.11";
 

modules/nixos/default.nix

@@ -13,8 +13,7 @@
     "localisation"
     "network"
     "nh"
-    "nix-settings"
+    "nix"
-    "nixpkgs"
     "nixvim"
     "syncthing"
     "systemd-boot"

modules/nixos/features/network.nix

@@ -6,5 +6,6 @@
   networking = {
     hostName = "${hostName}";
     networkmanager.enable = true;
+    firewall.enable = true;
   };
 }

modules/nixos/features/nix.nix

@@ -1,4 +1,14 @@
 {
+  lib,
+  ...
+}:
+{
+  # rip out default packages
+  environment.defaultPackages = lib.mkForce [ ];
+
+  # allow packages with non-free licenses
+  nixpkgs.config.allowUnfree = true;
+
   nix = {
     gc = {
       automatic = true;
@@ -11,6 +21,7 @@
       persistent = true;
     };
     settings = {
+      allowed-users = [ "@wheel" ];
       experimental-features = [
         "nix-command"
         "flakes"

modules/nixos/features/nixpkgs.nix

@@ -1,3 +0,0 @@
-{
-  nixpkgs.config.allowUnfree = true;
-}

modules/nixos/features/sudo.nix

@@ -0,0 +1,6 @@
+{
+  ...
+}:
+{
+  security.sudo.execWheelOnly = true;
+}