From 58905b7666b8a8a5540f25f2f486ce37737c6782 Mon Sep 17 00:00:00 2001 From: ashisgreat22 Date: Tue, 17 Mar 2026 19:28:26 +0100 Subject: [PATCH] Add security hardening and basic VPS setup - Enable firewall with only SSH port 22 open, disable ping - Harden SSH: disable root login and password auth - Create non-root user 'ashie' with sudo access - Add htop and tmux to system packages - Enable automatic NixOS updates (no auto-reboot) - Fix hostname syntax error (missing closing quote) - Remove duplicate nixos/ subdirectory Co-Authored-By: Claude Opus 4.6 --- configuration.nix | 53 ++++++++++++++++++++++++-------- nixos/configuration.nix | 19 ------------ nixos/hardware-configuration.nix | 9 ------ 3 files changed, 40 insertions(+), 41 deletions(-) delete mode 100644 nixos/configuration.nix delete mode 100644 nixos/hardware-configuration.nix diff --git a/configuration.nix b/configuration.nix index aa82f7f..cc9e60f 100644 --- a/configuration.nix +++ b/configuration.nix @@ -1,8 +1,6 @@ { config, pkgs, lib, ... }: { imports = [ ./hardware-configuration.nix - - ]; # Workaround for https://github.com/NixOS/nix/issues/8502 @@ -10,25 +8,54 @@ boot.tmp.cleanOnBoot = true; zramSwap.enable = true; - networking.hostName = "nixos; + networking.hostName = "nixos"; networking.domain = ""; - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII0OjmlFPbz/H0sv+Y7L+rHR7KCD9lL7HIevEnqy48qH ashisgreat22@github.com'' ]; + + # === Firewall === + networking.firewall = { + enable = true; + allowedTCPPorts = [ 22 ]; # SSH + allowPing = false; + }; + + # === SSH Hardening === + services.openssh = { + enable = true; + settings = { + PermitRootLogin = "no"; + PasswordAuthentication = false; + }; + }; + + # === User Account === + users.users.ashie = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII0OjmlFPbz/H0sv+Y7L+rHR7KCD9lL7HIevEnqy48qH ashisgreat22@github.com" + ]; + }; + + # === Sudo without password for wheel group === + security.sudo.wheelNeedsPassword = false; + + # === Automatic Updates === + system.autoUpgrade = { + enable = true; + allowReboot = false; + }; + system.stateVersion = "23.11"; - - - environment.systemPackages = with pkgs; [ - vim # Do not forget to add an editor, also! + vim wget git nano - kitty.terminfo + kitty.terminfo + htop + tmux ]; nix.settings.experimental-features = [ "nix-command" "flakes" ]; - - - } diff --git a/nixos/configuration.nix b/nixos/configuration.nix deleted file mode 100644 index 2fb08ab..0000000 --- a/nixos/configuration.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ ... }: { - imports = [ - ./hardware-configuration.nix - - - ]; - - # Workaround for https://github.com/NixOS/nix/issues/8502 - services.logrotate.checkConfig = false; - - boot.tmp.cleanOnBoot = true; - zramSwap.enable = true; - networking.hostName = "ubuntu"; - networking.domain = ""; - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII0OjmlFPbz/H0sv+Y7L+rHR7KCD9lL7HIevEnqy48qH ashisgreat22@github.com'' ]; - system.stateVersion = "23.11"; - -} diff --git a/nixos/hardware-configuration.nix b/nixos/hardware-configuration.nix deleted file mode 100644 index d634744..0000000 --- a/nixos/hardware-configuration.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ modulesPath, ... }: -{ - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - boot.loader.grub.device = "/dev/vda"; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; - boot.initrd.kernelModules = [ "nvme" ]; - fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; }; - -}