2022-11-20 22:28:23 +00:00
|
|
|
{
|
|
|
|
config,
|
|
|
|
lib,
|
|
|
|
...
|
|
|
|
}:
|
|
|
|
with lib; let
|
2022-08-14 15:10:30 +00:00
|
|
|
psCfg = config.pub-solar;
|
|
|
|
cfg = config.pub-solar.paranoia;
|
2022-11-20 22:28:23 +00:00
|
|
|
in {
|
2022-08-14 15:10:30 +00:00
|
|
|
options.pub-solar.paranoia = {
|
|
|
|
enable = mkOption {
|
|
|
|
description = ''
|
|
|
|
Only offer hibernation instead of screen locking and sleeping. This only makes sense
|
|
|
|
if your hard drive is encrypted, and ensures that the contents of your drive are
|
|
|
|
encrypted if you are not actively using the device.
|
|
|
|
'';
|
|
|
|
default = false;
|
|
|
|
type = types.bool;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
config = mkIf cfg.enable {
|
2022-08-14 15:20:09 +00:00
|
|
|
pub-solar.core.hibernation.enable = true;
|
2022-08-24 22:13:23 +00:00
|
|
|
services.logind.lidSwitch = "hibernate";
|
2022-10-03 01:57:34 +00:00
|
|
|
|
|
|
|
# The options below are directly taken from or inspired by
|
|
|
|
# https://xeiaso.net/blog/paranoid-nixos-2021-07-18
|
|
|
|
|
|
|
|
# Don't set this if you need sftp
|
|
|
|
services.openssh.allowSFTP = false;
|
|
|
|
services.openssh.openFirewall = false; # Lock yourself out
|
|
|
|
|
|
|
|
# Limit the use of sudo to the group wheel
|
|
|
|
security.sudo.execWheelOnly = true;
|
|
|
|
|
|
|
|
# Remove the complete default environment of packages like
|
|
|
|
# nano, perl and rsync
|
2022-11-20 22:28:23 +00:00
|
|
|
environment.defaultPackages = lib.mkForce [];
|
2022-10-03 01:57:34 +00:00
|
|
|
|
|
|
|
# fileSystems."/".options = [ "noexec" ];
|
|
|
|
|
|
|
|
services.openssh = {
|
|
|
|
kbdInteractiveAuthentication = false;
|
|
|
|
extraConfig = ''
|
|
|
|
AllowTcpForwarding yes
|
|
|
|
X11Forwarding no
|
|
|
|
AllowAgentForwarding no
|
|
|
|
AllowStreamLocalForwarding no
|
|
|
|
AuthenticationMethods publickey
|
|
|
|
'';
|
|
|
|
};
|
2022-08-14 15:10:30 +00:00
|
|
|
};
|
|
|
|
}
|