jet/compsigh-minecraft
jet/compsigh-minecraft
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
compsigh-minecraft/modules/hardening.nix
Jet Pham 64820d502a
init minecraft server configs!
2026-03-14 00:18:58 -07:00

87 lines
2.2 KiB
Nix
Raw Blame History

{ config, pkgs, ... }:
{
# ── Firewall ──
networking.firewall = {
enable = true;
allowedTCPPorts = [ 80 443 25565 ]; # Caddy HTTP/HTTPS + Minecraft
allowedUDPPorts = [ 24454 ]; # Simple Voice Chat
trustedInterfaces = [ "tailscale0" ]; # Full access over Tailscale (SSH, etc.)
logRefusedConnections = true;
};
# ── SSH — key-only, hardened ──
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "prohibit-password";
KbdInteractiveAuthentication = false;
X11Forwarding = false;
MaxAuthTries = 3;
LoginGraceTime = 30;
AllowAgentForwarding = false;
AllowTcpForwarding = false;
};
};
# ── Fail2ban ──
services.fail2ban = {
enable = true;
bantime = "1h";
maxretry = 10;
bantime-increment = {
enable = true;
maxtime = "24h";
};
};
# ── Kernel hardening ──
boot.kernel.sysctl = {
# SYN flood protection
"net.ipv4.tcp_syncookies" = 1;
"net.ipv4.tcp_max_syn_backlog" = 2048;
"net.ipv4.tcp_synack_retries" = 2;
# IP spoofing protection
"net.ipv4.conf.all.rp_filter" = 1;
"net.ipv4.conf.default.rp_filter" = 1;
# Disable ICMP redirects
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0;
# Ignore broadcast pings
"net.ipv4.icmp_echo_ignore_broadcasts" = 1;
# Disable source routing
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv4.conf.default.accept_source_route" = 0;
# Restrict unprivileged BPF
"kernel.unprivileged_bpf_disabled" = 1;
# Restrict dmesg
"kernel.dmesg_restrict" = 1;
# Restrict kernel pointers
"kernel.kptr_restrict" = 2;
};
# ── Kernel image protection ──
security.protectKernelImage = true;
# ── Disable unused services ──
services.avahi.enable = false;
services.printing.enable = false;
# ── Automatic security updates ──
system.autoUpgrade = {
enable = true;
allowReboot = false;
dates = "04:00";
};
}
Reference in a new issue View git blame Copy permalink