6 files changed, 12 insertions, 10 deletions

diff --git a/sys/auth/openssh.nix b/sys/auth/openssh.nix
index 3bc3a78..87c6299 100644
--- a/sys/auth/openssh.nix
+++ b/sys/auth/openssh.nix
@@ -19,6 +19,11 @@ in
         };
       }) [ "ecdsa" "ed25519" "rsa" ]);
 
+    shiftPortNumber = mkOption {
+      type = types.bool;
+      default = true;
+    };
+
     withDeployKeys = mkOption {
       type = types.bool;
       default = false;
@@ -39,7 +44,7 @@ in
     services.openssh = {
       enable = true;
       openFirewall = true;
-      ports = [ 2234 ];
+      ports = mkIf cfg.shiftPortNumber [ 2234 ];
       startWhenNeeded = !config.services.fail2ban.enable;
 
       hostKeys = map
diff --git a/sys/boot/chain.nix b/sys/boot/chain.nix
index c726cf8..aeb3bbe 100644
--- a/sys/boot/chain.nix
+++ b/sys/boot/chain.nix
@@ -4,10 +4,8 @@ with lib; let
 in
 {
   options.local.boot = {
-    enable = mkEnableOption "system boot";
-
     loader = mkOption {
-      type = types.enum [ "grub" "systemd-boot" ];
+      type = types.enum [ "none" "grub" "systemd-boot" ];
     };
 
     kernel = mkOption {
@@ -15,7 +13,7 @@ in
     };
   };
 
-  config = mkIf cfg.enable {
+  config = mkIf (cfg.loader != "none") {
     boot = {
       kernelPackages = cfg.kernel;
 
diff --git a/sys/boot/namespaced.nix b/sys/boot/namespaced.nix
index 9927ae2..db01d55 100644
--- a/sys/boot/namespaced.nix
+++ b/sys/boot/namespaced.nix
@@ -12,9 +12,10 @@ in
 
     local.boot = mkMerge ([
       {
-        enable = mkForce false;
+        loader = mkForce "none";
 
         efi.enable = mkForce false;
+        firmware.mode = mkForce "none";
         secureBoot.enable = mkForce false;
         impermanence.enable = mkForce false;
       }
diff --git a/sys/net/interfaces.nix b/sys/net/interfaces.nix
index 0341440..11b9621 100644
--- a/sys/net/interfaces.nix
+++ b/sys/net/interfaces.nix
@@ -23,6 +23,8 @@ in
       domain = mkDefault config.local.domains.host.main;
       hostName = cfg.hostname;
 
+      firewall.logRefusedConnections = false;
+
       useDHCP = false;
       enableIPv6 = true;
       useNetworkd = true;
diff --git a/sys/preset/dmz.nix b/sys/preset/dmz.nix
index 19985e0..a64a5b7 100644
--- a/sys/preset/dmz.nix
+++ b/sys/preset/dmz.nix
@@ -15,8 +15,6 @@ in
   config = lib.mkIf cfg.enable {
     local = {
       boot = {
-        enable = mkDefault true;
-
         kernel = mkDefault pkgs.linuxPackages_hardened;
         loader = mkDefault "grub";
 
diff --git a/sys/preset/user.nix b/sys/preset/user.nix
index 5f06f15..e0b3b9e 100644
--- a/sys/preset/user.nix
+++ b/sys/preset/user.nix
@@ -25,8 +25,6 @@ in
       };
 
       boot = {
-        enable = mkDefault true;
-
         kernel = mkDefault pkgs.linuxPackages_latest;
         loader = mkDefault "grub";