some minor security improvements found by claude

modules/hardware/remoteBuilder.nix

@@ -2,16 +2,17 @@
 
 {
   users.users.nixremote = {                   # System User
-    isNormalUser = true;
+    isSystemUser = true;
+    group = "nixremote";
     extraGroups = [ "kvm" ];
-    shell = pkgs.zsh;                       # Default shell
     uid = 1001;
-#    initialPassword = "password95";
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILczsj4W1kFQaalFwaY+RJ4LEzNeFKD+itXB40Q2O59M nixremote@hades"
     ];
   };
 
+  users.groups.nixremote = {};
+
   nix.settings.trusted-users = [
     "nixremote"
   ];

modules/services/server/coturn.nix

@@ -4,7 +4,6 @@
     enable = true;
     no-cli = true;
     no-tcp-relay = true;
-    no-tls = true;
     min-port = 49000;
     max-port = 50000;
     use-auth-secret = true;
@@ -53,7 +52,7 @@
       allowedUDPPortRanges = range;
       allowedUDPPorts = [ 3478 ];
       allowedTCPPortRanges = range;
-      allowedTCPPorts = [ 3478 ];
+      allowedTCPPorts = [ 3478 5349 ];
     };
   };
   # get a certificate

modules/services/server/gitea.nix

@@ -29,7 +29,7 @@
 	    LFS_ALLOW_PURE_SSH = true;
         };
         security = {
-            MIN_PASSWORD_LENGTH = 8;
+            MIN_PASSWORD_LENGTH = 12;
             PASSWORD_CHECK_PWN = true;
             PASSWORD_HASH_ALGO = "argon2";
         };

modules/services/server/nextcloud.nix

@@ -1,10 +1,6 @@
 
 { config, pkgs, ... }:
 {
-    environment.systemPackages = with pkgs; [           # Default packages install system-wide
-      appimage-run
-    ];
-
     services.nextcloud = {
         enable = true;
         hostName = "cloud.kabtop.de";