harden and fix: nftables input chain, sudo, agenix, ZFS, NAT priority

Fork: 0

Skyworks / skyworks-Nix-infra

Browse code harden and fix: nftables input chain, sudo, agenix, ZFS, NAT priority - Add inet input_filter table to xlab-gateway (policy drop on WAN) - Restrict NOPASSWD sudo to ldx only; ylw uses password sudo via wheel - Restructure secrets.nix with admins list, prepare for ylw ed25519 key - Add ye-lw21 to trusted-users in common.nix - Remove contradictory relatime=on when atime=off on rpool - Fix NAT postrouting priority: filter → srcnat - Remove duplicate nixpkgs.hostPlatform from xlab-gateway hardware-configuration Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> main
1 parent 95f22e0 commit 257a2b8b852f37f984e60ac1cacc969ea68e18ba Dixiao-L authored 8 days ago

Browse code

- Add inet input_filter table to xlab-gateway (policy drop on WAN)
- Restrict NOPASSWD sudo to ldx only; ylw uses password sudo via wheel
- Restructure secrets.nix with admins list, prepare for ylw ed25519 key
- Add ye-lw21 to trusted-users in common.nix
- Remove contradictory relatime=on when atime=off on rpool
- Fix NAT postrouting priority: filter → srcnat
- Remove duplicate nixpkgs.hostPlatform from xlab-gateway hardware-configuration

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

main

1 parent 95f22e0 commit 257a2b8b852f37f984e60ac1cacc969ea68e18ba

Dixiao-L authored 8 days ago

Patch

Unified Split

Showing 6 changed files

Ignore Space Show notes View hosts/skydick/disko.nix

Ignore Space Show notes View hosts/xlab-gateway/hardware-configuration.nix

Ignore Space Show notes View hosts/xlab-gateway/networking.nix

Ignore Space Show notes View modules/common.nix

Ignore Space Show notes View modules/users.nix

Ignore Space Show notes View secrets/secrets.nix

Show line notes below