some minor security improvements found by claude

2026-04-26 10:01:18 +02:00
parent 447fc61c0b
commit c5e5b84bfb
4 changed files with 6 additions and 10 deletions
--- a/modules/hardware/remoteBuilder.nix
+++ b/modules/hardware/remoteBuilder.nix
@@ -2,16 +2,17 @@

 {
  users.users.nixremote = {                   # System User
-    isNormalUser = true;
+    isSystemUser = true;
+    group = "nixremote";
    extraGroups = [ "kvm" ];
-    shell = pkgs.zsh;                       # Default shell
    uid = 1001;
-#    initialPassword = "password95";
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILczsj4W1kFQaalFwaY+RJ4LEzNeFKD+itXB40Q2O59M nixremote@hades"
    ];
  };

+  users.groups.nixremote = {};
+
  nix.settings.trusted-users = [
    "nixremote"
  ];
--- a/modules/services/server/coturn.nix
+++ b/modules/services/server/coturn.nix
@@ -4,7 +4,6 @@
    enable = true;
    no-cli = true;
    no-tcp-relay = true;
-    no-tls = true;
    min-port = 49000;
    max-port = 50000;
    use-auth-secret = true;
@@ -53,7 +52,7 @@
      allowedUDPPortRanges = range;
      allowedUDPPorts = [ 3478 ];
      allowedTCPPortRanges = range;
-      allowedTCPPorts = [ 3478 ];
+      allowedTCPPorts = [ 3478 5349 ];
    };
  };
  # get a certificate
--- a/modules/services/server/gitea.nix
+++ b/modules/services/server/gitea.nix
@@ -29,7 +29,7 @@
 	    LFS_ALLOW_PURE_SSH = true;
        };
        security = {
-            MIN_PASSWORD_LENGTH = 8;
+            MIN_PASSWORD_LENGTH = 12;
            PASSWORD_CHECK_PWN = true;
            PASSWORD_HASH_ALGO = "argon2";
        };
--- a/modules/services/server/nextcloud.nix
+++ b/modules/services/server/nextcloud.nix
@@ -1,10 +1,6 @@

 { config, pkgs, ... }:
 {
-    environment.systemPackages = with pkgs; [           # Default packages install system-wide
-      appimage-run
-    ];
-
    services.nextcloud = {
        enable = true;
        hostName = "cloud.kabtop.de";