init minecraft server configs!

2026-03-13 23:36:43 -07:00 · 2026-03-13 23:36:43 -07:00 · 64820d502a
commit 64820d502a
23 changed files with 24719 additions and 0 deletions
--- a/modules/hardening.nix
+++ b/modules/hardening.nix
@ -0,0 +1,87 @@
+{ config, pkgs, ... }:
+
+{
+  # ── Firewall ──
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [ 80 443 25565 ];  # Caddy HTTP/HTTPS + Minecraft
+    allowedUDPPorts = [ 24454 ];         # Simple Voice Chat
+    trustedInterfaces = [ "tailscale0" ]; # Full access over Tailscale (SSH, etc.)
+    logRefusedConnections = true;
+  };
+
+  # ── SSH — key-only, hardened ──
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      PermitRootLogin = "prohibit-password";
+      KbdInteractiveAuthentication = false;
+      X11Forwarding = false;
+      MaxAuthTries = 3;
+      LoginGraceTime = 30;
+      AllowAgentForwarding = false;
+      AllowTcpForwarding = false;
+    };
+  };
+
+  # ── Fail2ban ──
+  services.fail2ban = {
+    enable = true;
+    bantime = "1h";
+    maxretry = 10;
+    bantime-increment = {
+      enable = true;
+      maxtime = "24h";
+    };
+  };
+
+  # ── Kernel hardening ──
+  boot.kernel.sysctl = {
+    # SYN flood protection
+    "net.ipv4.tcp_syncookies" = 1;
+    "net.ipv4.tcp_max_syn_backlog" = 2048;
+    "net.ipv4.tcp_synack_retries" = 2;
+
+    # IP spoofing protection
+    "net.ipv4.conf.all.rp_filter" = 1;
+    "net.ipv4.conf.default.rp_filter" = 1;
+
+    # Disable ICMP redirects
+    "net.ipv4.conf.all.accept_redirects" = 0;
+    "net.ipv4.conf.default.accept_redirects" = 0;
+    "net.ipv6.conf.all.accept_redirects" = 0;
+    "net.ipv4.conf.all.send_redirects" = 0;
+    "net.ipv4.conf.default.send_redirects" = 0;
+
+    # Ignore broadcast pings
+    "net.ipv4.icmp_echo_ignore_broadcasts" = 1;
+
+    # Disable source routing
+    "net.ipv4.conf.all.accept_source_route" = 0;
+    "net.ipv4.conf.default.accept_source_route" = 0;
+
+    # Restrict unprivileged BPF
+    "kernel.unprivileged_bpf_disabled" = 1;
+
+    # Restrict dmesg
+    "kernel.dmesg_restrict" = 1;
+
+    # Restrict kernel pointers
+    "kernel.kptr_restrict" = 2;
+  };
+
+  # ── Kernel image protection ──
+  security.protectKernelImage = true;
+
+  # ── Disable unused services ──
+  services.avahi.enable = false;
+  services.printing.enable = false;
+
+  # ── Automatic security updates ──
+  system.autoUpgrade = {
+    enable = true;
+    allowReboot = false;
+    dates = "04:00";
+  };
+}