Skip to content

fix: harden NixOS deployment module defaults#15

Closed
web3dev1337 wants to merge 1 commit intopr/12-nix-flakefrom
fix/pr12-nixos-hardening
Closed

fix: harden NixOS deployment module defaults#15
web3dev1337 wants to merge 1 commit intopr/12-nix-flakefrom
fix/pr12-nixos-hardening

Conversation

@web3dev1337
Copy link
Copy Markdown
Owner

@web3dev1337 web3dev1337 commented Mar 18, 2026

Summary

  • add managed service identity defaults (createUser / createGroup) so fresh hosts do not fail on missing gastown account/group
  • add baseline systemd hardening to services.gastown-gui (NoNewPrivileges, PrivateTmp, PrivateDevices, ProtectSystem, capability drop, etc.)
  • add openFirewall option and gtRoot absolute-path assertion for safer deployment configuration
  • update README NixOS example to document new deployment options and hardened defaults

Validation

  • npm run test:unit (pass: 31 files, 153 tests)
  • npm run lint is not available in this repo (Missing script: lint)
  • nix build could not be run in this environment because nix is not installed

@web3dev1337 web3dev1337 mentioned this pull request Mar 18, 2026
Merged
@web3dev1337
Copy link
Copy Markdown
Owner Author

web3dev1337 commented Mar 18, 2026

Superseded: these hardening/identity changes were cherry-picked into PR #12 and merged there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@web3dev1337