From aa322301fbded91a9cc66cfec8b863a5250e6072 Mon Sep 17 00:00:00 2001
From: Christoph Schmatzler <christoph@schmatzler.com>
Date: Sat, 24 Jan 2026 09:08:55 +0000
Subject: [PATCH] harden

---
 hosts/tahani/default.nix    | 2 ++
 hosts/tahani/networking.nix | 2 +-
 profiles/nixos.nix          | 1 -
 profiles/openssh.nix        | 2 +-
 4 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/hosts/tahani/default.nix b/hosts/tahani/default.nix
index 5b802d7..1a6474b 100644
--- a/hosts/tahani/default.nix
+++ b/hosts/tahani/default.nix
@@ -52,6 +52,8 @@
 
 	virtualisation.docker.enable = true;
 
+	users.users.${user}.extraGroups = ["docker"];
+
 	swapDevices = [
 		{
 			device = "/swapfile";
diff --git a/hosts/tahani/networking.nix b/hosts/tahani/networking.nix
index 486e2ab..4c4371b 100644
--- a/hosts/tahani/networking.nix
+++ b/hosts/tahani/networking.nix
@@ -11,7 +11,7 @@
 		nameservers = ["1.1.1.1"];
 		firewall = {
 			enable = true;
-			trustedInterfaces = ["eno1" "tailscale0"];
+			trustedInterfaces = ["tailscale0"];
 			allowedUDPPorts = [config.services.tailscale.port];
 			allowedTCPPorts = [22];
 			checkReversePath = "loose";
diff --git a/profiles/nixos.nix b/profiles/nixos.nix
index be2f2e8..d45f475 100644
--- a/profiles/nixos.nix
+++ b/profiles/nixos.nix
@@ -65,7 +65,6 @@
 				"sudo"
 				"network"
 				"systemd-journal"
-				"docker"
 			];
 			shell = pkgs.fish;
 			openssh.authorizedKeys.keys = constants.sshKeys;
diff --git a/profiles/openssh.nix b/profiles/openssh.nix
index 7295e35..b55a2ba 100644
--- a/profiles/openssh.nix
+++ b/profiles/openssh.nix
@@ -2,7 +2,7 @@
 	services.openssh = {
 		enable = true;
 		settings = {
-			PermitRootLogin = "prohibit-password";
+			PermitRootLogin = "no";
 			PasswordAuthentication = false;
 		};
 	};