refactoring to more granular flakes and modules

2025-10-21 22:12:23 -05:00 · 2025-10-21 22:12:23 -05:00 · 50825c9b84
commit 50825c9b84
parent 6570da6f33
52 changed files with 2501 additions and 9 deletions
--- a/flakes/common/nix_modules/hardening.nix
+++ b/flakes/common/nix_modules/hardening.nix
@ -0,0 +1,87 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  environment.systemPackages = with pkgs; [
+    openssh
+    autossh
+  ];
+
+  # name this computer
+  networking = {
+    # hostName = top_cfg.systemName;
+    nftables.enable = true;
+    # Clears firewall rules on reboot, only ones set in config will be remade
+    nftables.flushRuleset = true;
+    firewall.enable = true;
+  };
+
+  # TODO invesitgate onensnitch usage and rules I may want. It is cumbersome with flushRuleset above...
+  # services.opensnitch = {
+  #   enable = true;
+  #   settings = {
+  #     Firewall = if config.networking.nftables.enable then "nftables" else "iptables";
+  #     InterceptUknown = true;
+  #     ProcMonitorMethod = "ebpf";
+  #     DefaultAction = "deny";
+  #   };
+  #   rules = {
+  #
+  #   };
+  # };
+
+  # Use fail2ban
+  services.fail2ban = {
+    enable = true;
+    # Ignore my tailnet
+    ignoreIP = [
+      "100.64.0.0/10"
+    ];
+  };
+
+  # Open ports in the firewall if enabled.
+  networking.firewall.allowedTCPPorts = [
+    22 # sshd
+  ];
+
+  # Enable the OpenSSH daemon.
+  services.openssh = {
+    enable = true;
+    settings = {
+      LogLevel = "VERBOSE";
+      PermitRootLogin = "yes";
+      PasswordAuthentication = false;
+    };
+  };
+
+  # Ensure SSH key pair generation for non-root users
+  systemd.services = lib.mapAttrs' (name: _: {
+    name = "generate_ssh_key_${name}";
+    value = {
+      description = "Generate SSH key pair for ${name}";
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        User = name;
+        Type = "oneshot";
+      };
+      script = ''
+        #!/run/current-system/sw/bin/bash
+        if [ ! -f /home/${name}/.ssh/id_ed25519 ]; then
+          if [ -v DRY_RUN ]; then
+            echo "DRY_RUN is set. Would generate SSH key for ${name}.";
+          else
+            echo "Generating SSH key for ${name}.";
+            mkdir -p /home/${name}/.ssh;
+            chmod 700 /home/${name}/.ssh;
+            /run/current-system/sw/bin/ssh-keygen -t ed25519 -f /home/${name}/.ssh/id_ed25519 -N "";
+          fi
+        else
+          echo "SSH key already exists for ${name}.";
+        fi
+      '';
+    };
+  }) config.users.users;
+}