From 44c8cf333ad6afe3b7c63650c44afaa3ebdebd3a Mon Sep 17 00:00:00 2001
From: Asmir A <asmir.abdulahovic@gmail.com>
Date: Sun, 31 May 2026 11:55:40 +0200
Subject: [PATCH] magpie: add hardening

---
 magpie/configuration.nix | 43 +++++++++++++++++++++++++++++++++-------
 1 file changed, 36 insertions(+), 7 deletions(-)

diff --git a/magpie/configuration.nix b/magpie/configuration.nix
index 1dcf52a..ef7565d 100644
--- a/magpie/configuration.nix
+++ b/magpie/configuration.nix
@@ -27,6 +27,19 @@
   boot.kernel.sysctl = {
     "net.core.default_qdisc" = "fq";
     "net.ipv4.tcp_congestion_control" = "bbr";
+    "kernel.kptr_restrict" = 2;
+    "kernel.dmesg_restrict" = 1;
+    "kernel.kexec_load_disabled" = 1;
+    "kernel.yama.ptrace_scope" = 1;
+    "net.ipv4.conf.all.rp_filter" = 1;
+    "net.ipv4.conf.default.rp_filter" = 1;
+    "net.ipv4.conf.all.log_martians" = 1;
+    "net.ipv4.conf.all.accept_redirects" = 0;
+    "net.ipv4.conf.default.accept_redirects" = 0;
+    "net.ipv4.conf.all.send_redirects" = 0;
+    "net.ipv4.conf.default.send_redirects" = 0;
+    "net.ipv6.conf.all.accept_redirects" = 0;
+    "net.ipv6.conf.default.accept_redirects" = 0;
   };
 
   boot.initrd = {
@@ -49,7 +62,7 @@
   # Set your time zone.
   time.timeZone = "Europe/Berlin";
 
-  users.users.root.initialHashedPassword = "";
+  users.users.root.hashedPassword = "!";
   users.users.root.openssh.authorizedKeys.keys = [
     (builtins.readFile ../nixy/ssh_pubkey)
   ];
@@ -108,10 +121,14 @@
     certificateScheme = "acme-nginx";
   };
 
-  services.journald.extraConfig = ''SystemMaxUse=50M '';
+  services.journald.extraConfig = ''SystemMaxUse=500M '';
   services.logind.settings.Login = { KillUserProcesses = true; };
-  services.openssh.settings.PermitRootLogin = "prohibit-password";
   services.openssh.enable = true;
+  services.openssh.settings = {
+    PermitRootLogin = "prohibit-password";
+    PasswordAuthentication = false;
+    KbdInteractiveAuthentication = false;
+  };
   services.openssh.listenAddresses = [
     {
       addr = "10.100.0.1"; # wireguard
@@ -119,6 +136,13 @@
     }
   ];
 
+  services.fail2ban = {
+    enable = true;
+    maxretry = 5;
+    bantime = "1h";
+    ignoreIP = [ "10.100.0.0/24" ];
+  };
+
   services.opendkim = {
     enable = true;
     selector = "mail";
@@ -308,6 +332,12 @@
     defaults.email = "asmir.abdulahovic@gmail.com";
   };
 
+  security.sudo.execWheelOnly = true;
+
+  environment.memoryAllocator.provider = "jemalloc";
+
+  systemd.coredump.enable = false;
+
   sops = {
     age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
     secrets = {
@@ -341,14 +371,13 @@
       80
       443
       587
-      2049
-    ]; # http, mail, mail, nfs
+    ]; # http, https, submission
     allowedUDPPorts = [
       443
       51820
-    ]; # mail, wireguard
+    ]; # http3, wireguard
     allowPing = true;
-    logRefusedConnections = lib.mkDefault false;
+    logRefusedConnections = lib.mkDefault true;
   };
 
   networking.nat = {