harden

hosts/tahani/default.nix

@@ -52,6 +52,8 @@
 
 	virtualisation.docker.enable = true;
 
+	users.users.${user}.extraGroups = ["docker"];
+
 	swapDevices = [
 		{
 			device = "/swapfile";

hosts/tahani/networking.nix

@@ -11,7 +11,7 @@
 		nameservers = ["1.1.1.1"];
 		firewall = {
 			enable = true;
-			trustedInterfaces = ["eno1" "tailscale0"];
+			trustedInterfaces = ["tailscale0"];
 			allowedUDPPorts = [config.services.tailscale.port];
 			allowedTCPPorts = [22];
 			checkReversePath = "loose";

profiles/nixos.nix

@@ -65,7 +65,6 @@
 				"sudo"
 				"network"
 				"systemd-journal"
-				"docker"
 			];
 			shell = pkgs.fish;
 			openssh.authorizedKeys.keys = constants.sshKeys;

profiles/openssh.nix

@@ -2,7 +2,7 @@
 	services.openssh = {
 		enable = true;
 		settings = {
-			PermitRootLogin = "prohibit-password";
+			PermitRootLogin = "no";
 			PasswordAuthentication = false;
 		};
 	};