From a92f0fcb2807afa7af7d2087d69c23d2be9146c6 Mon Sep 17 00:00:00 2001
From: Petru Paler <petru@paler.net>
Date: Fri, 21 Nov 2025 16:39:45 +0000
Subject: [PATCH] Tighten up security.

---
 hosts/alo-cloud-1/default.nix | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/hosts/alo-cloud-1/default.nix b/hosts/alo-cloud-1/default.nix
index 2d3c614..c63e340 100644
--- a/hosts/alo-cloud-1/default.nix
+++ b/hosts/alo-cloud-1/default.nix
@@ -24,4 +24,20 @@
     externalInterface = "enp1s0";
     internalInterfaces = [ "tailscale0" ];
   };
+
+  # Security hardening: Enable firewall (override global setting)
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [ 80 443 ];  # Public web traffic only
+    allowedUDPPorts = [ 41641 ];   # Tailscale
+    trustedInterfaces = [ "tailscale0" ];  # Full access via VPN
+  };
+
+  # Security hardening: Restrict SSH to Tailscale only + key-based auth
+  services.openssh = {
+    listenAddresses = [
+      { addr = "100.75.147.49"; port = 22; }  # Tailscale IP only
+    ];
+    settings.PasswordAuthentication = false;  # Keys only
+  };
 }