From b1dd673fc512fde621d7c8048bfe378c21ae42b0 Mon Sep 17 00:00:00 2001
From: Martin Berg Alstad <git@martials.no>
Date: Mon, 13 Oct 2025 21:40:13 +0200
Subject: [PATCH] [nidaros] Copy security config from pi4

---
 hosts/nidaros/security/default.nix  | 22 ++++++++++++++++++++++
 hosts/nidaros/security/firewall.nix | 17 +++++++++++++++++
 2 files changed, 39 insertions(+)
 create mode 100644 hosts/nidaros/security/default.nix
 create mode 100644 hosts/nidaros/security/firewall.nix

diff --git a/hosts/nidaros/security/default.nix b/hosts/nidaros/security/default.nix
new file mode 100644
index 0000000..63e7212
--- /dev/null
+++ b/hosts/nidaros/security/default.nix
@@ -0,0 +1,22 @@
+{ systemConfig, ... }:
+
+{
+  imports = [
+    ./firewall.nix
+  ];
+
+  security.sudo.extraRules = [
+    {
+      users = [ systemConfig.username ];
+      runAs = "ALL:ALL";
+      commands = [
+        {
+          command = "ALL";
+          options = [ "NOPASSWD" ];
+        }
+      ];
+    }
+  ];
+
+  services.pcscd.enable = true;
+}
diff --git a/hosts/nidaros/security/firewall.nix b/hosts/nidaros/security/firewall.nix
new file mode 100644
index 0000000..f25b780
--- /dev/null
+++ b/hosts/nidaros/security/firewall.nix
@@ -0,0 +1,17 @@
+{ common, ... }:
+
+{
+  networking = {
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        80
+        443
+      ];
+      extraInputRules = ''
+        ip saddr ${common.localIpRange} accept
+      '';
+    };
+    nftables.enable = true;
+  };
+}