From c5e5b84bfb94f716e7d0d5b551f76c0e8234cb4c Mon Sep 17 00:00:00 2001
From: Kabbone <tobias@opel-online.de>
Date: Sun, 26 Apr 2026 10:01:18 +0200
Subject: [PATCH] some minor security improvements found by claude

---
 modules/hardware/remoteBuilder.nix    | 7 ++++---
 modules/services/server/coturn.nix    | 3 +--
 modules/services/server/gitea.nix     | 2 +-
 modules/services/server/nextcloud.nix | 4 ----
 4 files changed, 6 insertions(+), 10 deletions(-)

diff --git a/modules/hardware/remoteBuilder.nix b/modules/hardware/remoteBuilder.nix
index db3c678..29c1f48 100644
--- a/modules/hardware/remoteBuilder.nix
+++ b/modules/hardware/remoteBuilder.nix
@@ -2,16 +2,17 @@
 
 {
   users.users.nixremote = {                   # System User
-    isNormalUser = true;
+    isSystemUser = true;
+    group = "nixremote";
     extraGroups = [ "kvm" ];
-    shell = pkgs.zsh;                       # Default shell
     uid = 1001;
-#    initialPassword = "password95";
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILczsj4W1kFQaalFwaY+RJ4LEzNeFKD+itXB40Q2O59M nixremote@hades"
     ];
   };
 
+  users.groups.nixremote = {};
+
   nix.settings.trusted-users = [
     "nixremote"
   ];
diff --git a/modules/services/server/coturn.nix b/modules/services/server/coturn.nix
index a4ba88c..af2f7d8 100644
--- a/modules/services/server/coturn.nix
+++ b/modules/services/server/coturn.nix
@@ -4,7 +4,6 @@
     enable = true;
     no-cli = true;
     no-tcp-relay = true;
-    no-tls = true;
     min-port = 49000;
     max-port = 50000;
     use-auth-secret = true;
@@ -53,7 +52,7 @@
       allowedUDPPortRanges = range;
       allowedUDPPorts = [ 3478 ];
       allowedTCPPortRanges = range;
-      allowedTCPPorts = [ 3478 ];
+      allowedTCPPorts = [ 3478 5349 ];
     };
   };
   # get a certificate
diff --git a/modules/services/server/gitea.nix b/modules/services/server/gitea.nix
index d2a6aec..4795373 100644
--- a/modules/services/server/gitea.nix
+++ b/modules/services/server/gitea.nix
@@ -29,7 +29,7 @@
 	    LFS_ALLOW_PURE_SSH = true;
         };
         security = {
-            MIN_PASSWORD_LENGTH = 8;
+            MIN_PASSWORD_LENGTH = 12;
             PASSWORD_CHECK_PWN = true;
             PASSWORD_HASH_ALGO = "argon2";
         };
diff --git a/modules/services/server/nextcloud.nix b/modules/services/server/nextcloud.nix
index 66d382a..5026008 100644
--- a/modules/services/server/nextcloud.nix
+++ b/modules/services/server/nextcloud.nix
@@ -1,10 +1,6 @@
 
 { config, pkgs, ... }:
 {
-    environment.systemPackages = with pkgs; [           # Default packages install system-wide
-      appimage-run
-    ];
-
     services.nextcloud = {
         enable = true;
         hostName = "cloud.kabtop.de";