kenji
6eef6108c4
- Remove SSH service (was temporary) - Close unused firewall ports (22, 80, 53) - Require sudo password for wheel group - Disable systemd-boot editor to prevent boot tampering - Remove boot.shell_on_fail kernel parameter - Add kernel hardening parameters (slab_nomerge, init_on_alloc, etc.) - Add sysctl hardening (dmesg_restrict, kptr_restrict, etc.) - Disable Avahi firewall broadcast - Disable Bluetooth auto power-on at boot 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
35 lines
693 B
Nix
35 lines
693 B
Nix
{
|
|
pkgs,
|
|
myConfig,
|
|
config,
|
|
...
|
|
}: {
|
|
security.pam.services.greetd.enableGnomeKeyring = true;
|
|
security.sudo = {
|
|
enable = true;
|
|
wheelNeedsPassword = true;
|
|
execWheelOnly = true;
|
|
extraConfig = ''
|
|
Defaults timestamp_timeout=15
|
|
Defaults passwd_tries=3
|
|
'';
|
|
};
|
|
environment.systemPackages = with pkgs; [
|
|
sops
|
|
age
|
|
ssh-to-age
|
|
];
|
|
sops = {
|
|
defaultSopsFile = ../../secrets/secrets.yaml;
|
|
age.keyFile = "/home/${myConfig.nixos.username}/.config/sops/age/keys.txt";
|
|
secrets = {
|
|
default_password = {
|
|
neededForUsers = true;
|
|
};
|
|
ssh_extra_config = {
|
|
owner = myConfig.nixos.username;
|
|
};
|
|
};
|
|
};
|
|
}
|