{ config, pkgs, ... }: { # ── Firewall ── networking.firewall = { enable = true; allowedTCPPorts = [ 80 443 25565 ]; # Caddy HTTP/HTTPS + Minecraft allowedUDPPorts = [ 24454 ]; # Simple Voice Chat trustedInterfaces = [ "tailscale0" ]; # Full access over Tailscale (SSH, etc.) checkReversePath = "loose"; # Required for Tailscale logRefusedConnections = true; }; # ── SSH — key-only, hardened ── services.openssh = { enable = true; settings = { PasswordAuthentication = false; PermitRootLogin = "prohibit-password"; KbdInteractiveAuthentication = false; X11Forwarding = false; MaxAuthTries = 3; LoginGraceTime = 30; AllowAgentForwarding = false; AllowTcpForwarding = false; }; }; # ── Fail2ban ── services.fail2ban = { enable = true; bantime = "1h"; maxretry = 10; bantime-increment = { enable = true; maxtime = "24h"; }; ignoreIP = [ "100.64.0.0/10" "127.0.0.0/8" "::1/128" ]; }; # ── Kernel hardening ── boot.kernel.sysctl = { # SYN flood protection "net.ipv4.tcp_syncookies" = 1; "net.ipv4.tcp_max_syn_backlog" = 2048; "net.ipv4.tcp_synack_retries" = 2; # IP spoofing protection "net.ipv4.conf.all.rp_filter" = 1; "net.ipv4.conf.default.rp_filter" = 1; # Disable ICMP redirects "net.ipv4.conf.all.accept_redirects" = 0; "net.ipv4.conf.default.accept_redirects" = 0; "net.ipv6.conf.all.accept_redirects" = 0; "net.ipv4.conf.all.send_redirects" = 0; "net.ipv4.conf.default.send_redirects" = 0; # Ignore broadcast pings "net.ipv4.icmp_echo_ignore_broadcasts" = 1; # Disable source routing "net.ipv4.conf.all.accept_source_route" = 0; "net.ipv4.conf.default.accept_source_route" = 0; # Restrict unprivileged BPF "kernel.unprivileged_bpf_disabled" = 1; # Restrict dmesg "kernel.dmesg_restrict" = 1; # Restrict kernel pointers "kernel.kptr_restrict" = 2; }; # ── Kernel image protection ── security.protectKernelImage = true; # ── Disable unused services ── services.avahi.enable = false; services.printing.enable = false; }