Be more paranoid

The paranoia mode now also enables the firewall and closes down a couple of small openSSH holes. `noexec` on the whole FS is left out as it will make every existing PubSolarOS installation panic.
2022-10-03 03:57:34 +02:00 · 2022-10-03 03:57:34 +02:00 · 8529a15177
parent 741e4bfef1
commit 8529a15177
2 changed files with 32 additions and 0 deletions
--- a/modules/core/networking.nix
+++ b/modules/core/networking.nix
@ -36,6 +36,8 @@ in
      wifi.backend = "iwd";
    };

+    networking.firewall.enable = true;
+
    # Customized binary caches list (with fallback to official binary cache)
    nix.binaryCaches = cfg.binaryCaches;
    nix.binaryCachePublicKeys = cfg.publicKeys;
--- a/modules/paranoia/default.nix
+++ b/modules/paranoia/default.nix
@ -21,5 +21,35 @@ in
  config = mkIf cfg.enable {
    pub-solar.core.hibernation.enable = true;
    services.logind.lidSwitch = "hibernate";
+
+    # The options below are directly taken from or inspired by
+    # https://xeiaso.net/blog/paranoid-nixos-2021-07-18
+
+    # Don't set this if you need sftp
+    services.openssh.allowSFTP = false;
+    services.openssh.openFirewall = false; # Lock yourself out
+
+    # Limit the use of sudo to the group wheel
+    security.sudo.execWheelOnly = true;
+
+    # Remove the complete default environment of packages like
+    # nano, perl and rsync
+    environment.defaultPackages = lib.mkForce [ ];
+
+    # fileSystems."/".options = [ "noexec" ];
+
+    services.openssh = {
+      enable = true;
+      openFirewall = false;
+      passwordAuthentication = false;
+      kbdInteractiveAuthentication = false;
+      extraConfig = ''
+        AllowTcpForwarding yes
+        X11Forwarding no
+        AllowAgentForwarding no
+        AllowStreamLocalForwarding no
+        AuthenticationMethods publickey
+      '';
+    };
  };
 }