Add security hardening and basic VPS setup

- Enable firewall with only SSH port 22 open, disable ping - Harden SSH: disable root login and password auth - Create non-root user 'ashie' with sudo access - Add htop and tmux to system packages - Enable automatic NixOS updates (no auto-reboot) - Fix hostname syntax error (missing closing quote) - Remove duplicate nixos/ subdirectory Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-17 19:28:26 +01:00 · 2026-03-17 19:28:26 +01:00 · 58905b7666
commit 58905b7666
parent e2277631af
3 changed files with 40 additions and 41 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -1,8 +1,6 @@
 { config, pkgs, lib, ... }: {
  imports = [
    ./hardware-configuration.nix
-    
-    
  ];

  # Workaround for https://github.com/NixOS/nix/issues/8502
@ -10,25 +8,54 @@

  boot.tmp.cleanOnBoot = true;
  zramSwap.enable = true;
-  networking.hostName = "nixos;
+  networking.hostName = "nixos";
  networking.domain = "";
-  services.openssh.enable = true;
-  users.users.root.openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII0OjmlFPbz/H0sv+Y7L+rHR7KCD9lL7HIevEnqy48qH ashisgreat22@github.com'' ];
+
+  # === Firewall ===
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [ 22 ]; # SSH
+    allowPing = false;
+  };
+
+  # === SSH Hardening ===
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = "no";
+      PasswordAuthentication = false;
+    };
+  };
+
+  # === User Account ===
+  users.users.ashie = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII0OjmlFPbz/H0sv+Y7L+rHR7KCD9lL7HIevEnqy48qH ashisgreat22@github.com"
+    ];
+  };
+
+  # === Sudo without password for wheel group ===
+  security.sudo.wheelNeedsPassword = false;
+
+  # === Automatic Updates ===
+  system.autoUpgrade = {
+    enable = true;
+    allowReboot = false;
+  };
+
  system.stateVersion = "23.11";

-
-
-
  environment.systemPackages = with pkgs; [
-    vim # Do not forget to add an editor, also!
+    vim
    wget
    git
    nano
    kitty.terminfo
+    htop
+    tmux
  ];

  nix.settings.experimental-features = [ "nix-command" "flakes" ];
-
-
-  
 }
--- a/nixos/configuration.nix
+++ b/nixos/configuration.nix
@ -1,19 +0,0 @@
-{ ... }: {
-  imports = [
-    ./hardware-configuration.nix
-    
-    
-  ];
-
-  # Workaround for https://github.com/NixOS/nix/issues/8502
-  services.logrotate.checkConfig = false;
-
-  boot.tmp.cleanOnBoot = true;
-  zramSwap.enable = true;
-  networking.hostName = "ubuntu";
-  networking.domain = "";
-  services.openssh.enable = true;
-  users.users.root.openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII0OjmlFPbz/H0sv+Y7L+rHR7KCD9lL7HIevEnqy48qH ashisgreat22@github.com'' ];
-  system.stateVersion = "23.11";
-  
-}
--- a/nixos/hardware-configuration.nix
+++ b/nixos/hardware-configuration.nix
@ -1,9 +0,0 @@
-{ modulesPath, ... }:
-{
-  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
-  boot.loader.grub.device = "/dev/vda";
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
-  boot.initrd.kernelModules = [ "nvme" ];
-  fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; };
-  
-}