Skip to content

Security

Source directory: modules/security/

default.nix

modules/security/default.nix

No option declarations; see source for implementation.

firewall.nix

modules/security/firewall.nix

Centralized Firewall Configuration Module

  • Enable option: Centralized firewall configuration
  • Enable option: Rate limiting for connections

Options: enable, profile, extraTcpPorts, extraUdpPorts, extraTrustedInterfaces, interfaceRules, allowedTCPPorts, allowedUDPPorts, enableAdvancedRules, enableLogging, trustedNetworks, blockCountries, sshLimit, httpLimit

Options declaration (Nix) 
  options.security.firewall = {
    enable = mkEnableOption "Centralized firewall configuration";

    profile = mkOption {
      type = types.enum [ "workstation" "server" "mediaServer" "monitoringServer" "custom" ];
      default = "workstation";
      description = "Firewall profile to use";
    };

    extraTcpPorts = mkOption {
      type = types.listOf types.port;
      default = [ ];
      description = "Additional TCP ports to allow";
    };

    extraUdpPorts = mkOption {
      type = types.listOf types.port;
      default = [ ];
      description = "Additional UDP ports to allow";
    };

    extraTrustedInterfaces = mkOption {
      type = types.listOf types.str;
      default = [ ];
      description = "Additional trusted interfaces";
    };

    interfaceRules = mkOption {
      type = types.attrsOf (types.submodule {
        options = {
          allowedTCPPorts = mkOption {
            type = types.listOf types.port;
            default = [ ];
            description = "TCP ports allowed on this interface";
          };
          allowedUDPPorts = mkOption {
            type = types.listOf types.port;
            default = [ ];
            description = "UDP ports allowed on this interface";
          };
        };
      });
      default = { };
      description = "Per-interface firewall rules";
    };

    enableAdvancedRules = mkOption {
      type = types.bool;
      default = true;
      description = "Enable advanced iptables rules for enhanced security";
    };

    enableLogging = mkOption {
      type = types.bool;
      default = true;
      description = "Enable firewall logging for dropped packets";
    };

    trustedNetworks = mkOption {
      type = types.listOf types.str;
      default = [ "192.168.1.0/24" "10.0.0.0/8" "172.16.0.0/12" ];
      description = "Trusted network CIDRs";
    };

    blockCountries = mkOption {
      type = types.listOf types.str;
      default = [ ];
      example = [ "CN" "RU" "KP" ];
      description = "ISO country codes to block (requires GeoIP)";
    };

    rateLimiting = {
      enable = mkEnableOption "Rate limiting for connections";

      sshLimit = mkOption {
        type = types.int;
        default = 4;
        description = "SSH connection attempts per minute";
      };

      httpLimit = mkOption {
        type = types.int;
        default = 100;
        description = "HTTP connection attempts per minute";
      };
    };
  }

secrets.nix

modules/security/secrets.nix

  • Enable option: Agenix secrets management

Options: enable, hostKeys, userKeys

Options declaration (Nix) 
  options.modules.security.secrets = {
    enable = mkEnableOption "Agenix secrets management";

    hostKeys = mkOption {
      type = types.listOf types.str;
      default = [ ];
      description = "List of SSH host key paths for decryption";
      example = [ "/etc/ssh/ssh_host_ed25519_key" ];
    };

    userKeys = mkOption {
      type = types.listOf types.str;
      default = [ ];
      description = "List of user SSH key paths for secrets management";
      example = [ "/home/olafkfreund/.ssh/id_ed25519" ];
    };
  }