fix(security): harden system configuration

- Remove SSH service (was temporary)
- Close unused firewall ports (22, 80, 53)
- Require sudo password for wheel group
- Disable systemd-boot editor to prevent boot tampering
- Remove boot.shell_on_fail kernel parameter
- Add kernel hardening parameters (slab_nomerge, init_on_alloc, etc.)
- Add sysctl hardening (dmesg_restrict, kptr_restrict, etc.)
- Disable Avahi firewall broadcast
- Disable Bluetooth auto power-on at boot

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

TODO.md

@@ -1,6 +1,3 @@
 * fix: special workspace preload always loads first. Toggling it back is easy, but i'd rather create a new sh script that forces back to normal workspace.
-* add: hypridle
 * add: similar to omarchy-menu
 * cleanup: stylix configurations and wallpaper
-* cleanup: convert `anonymize` fixme's to secret keys
-* add: hyprlock

modules/nixos/boot.nix

@@ -6,6 +6,7 @@
       timeout = 0;
       systemd-boot = {
         enable = true;
+        editor = false;
       };
 
       efi = {

modules/nixos/hardware.nix

@@ -6,7 +6,7 @@
   hardware = {
     bluetooth = {
       enable = true;
-      powerOnBoot = true;
+      powerOnBoot = false;
     };
   };
   networking = {
@@ -16,8 +16,8 @@
     wireless.iwd.enable = true;
     firewall = {
       enable = true;
-      allowedTCPPorts = [22 80];
-      allowedUDPPorts = [53];
+      allowedTCPPorts = [];
+      allowedUDPPorts = [];
     };
   };
 }

modules/nixos/kernel.nix

@@ -5,9 +5,21 @@
       "quiet"
       "splash"
       "intremap=on"
-      "boot.shell_on_fail"
       "udev.log_priority=3"
       "rd.systemd.show_status=auto"
+      # Security hardening
+      "slab_nomerge"
+      "init_on_alloc=1"
+      "init_on_free=1"
+      "page_alloc.shuffle=1"
+      "randomize_kstack_offset=on"
+      "vsyscall=none"
     ];
+    kernel.sysctl = {
+      "kernel.dmesg_restrict" = 1;
+      "kernel.kptr_restrict" = 2;
+      "kernel.unprivileged_bpf_disabled" = 1;
+      "net.core.bpf_jit_harden" = 2;
+    };
   };
 }

modules/nixos/security.nix

@@ -5,6 +5,15 @@
   ...
 }: {
   security.pam.services.greetd.enableGnomeKeyring = true;
+  security.sudo = {
+    enable = true;
+    wheelNeedsPassword = true;
+    execWheelOnly = true;
+    extraConfig = ''
+      Defaults timestamp_timeout=15
+      Defaults passwd_tries=3
+    '';
+  };
   environment.systemPackages = with pkgs; [
     sops
     age

modules/nixos/services.nix

@@ -18,7 +18,6 @@
     };
 
     # essentials
-    openssh.enable = true; # FIXME: remove when done
     blueman.enable = true;
 
     # for encryption support for unfree apps
@@ -29,7 +28,7 @@
     avahi = {
       enable = true;
       nssmdns4 = true;
-      openFirewall = true;
+      openFirewall = false;
     };
     pipewire = {
       enable = true;