From 8529a15177466a14be333e0fdc83e39f3eb4ee07 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Benjamin=20B=C3=A4dorf?= <hello@benjaminbaedorf.eu>
Date: Mon, 3 Oct 2022 03:57:34 +0200
Subject: [PATCH] Be more paranoid

The paranoia mode now also enables the firewall and closes down a couple
of small openSSH holes. `noexec` on the whole FS is left out as it will
make every existing PubSolarOS installation panic.
---
 modules/core/networking.nix  |  2 ++
 modules/paranoia/default.nix | 30 ++++++++++++++++++++++++++++++
 2 files changed, 32 insertions(+)

diff --git a/modules/core/networking.nix b/modules/core/networking.nix
index edfef42d..c5ec9cbe 100644
--- a/modules/core/networking.nix
+++ b/modules/core/networking.nix
@@ -36,6 +36,8 @@ in
       wifi.backend = "iwd";
     };
 
+    networking.firewall.enable = true;
+
     # Customized binary caches list (with fallback to official binary cache)
     nix.binaryCaches = cfg.binaryCaches;
     nix.binaryCachePublicKeys = cfg.publicKeys;
diff --git a/modules/paranoia/default.nix b/modules/paranoia/default.nix
index 699ab13e..f5ceaeaf 100644
--- a/modules/paranoia/default.nix
+++ b/modules/paranoia/default.nix
@@ -21,5 +21,35 @@ in
   config = mkIf cfg.enable {
     pub-solar.core.hibernation.enable = true;
     services.logind.lidSwitch = "hibernate";
+
+    # The options below are directly taken from or inspired by
+    # https://xeiaso.net/blog/paranoid-nixos-2021-07-18
+
+    # Don't set this if you need sftp
+    services.openssh.allowSFTP = false;
+    services.openssh.openFirewall = false; # Lock yourself out
+
+    # Limit the use of sudo to the group wheel
+    security.sudo.execWheelOnly = true;
+
+    # Remove the complete default environment of packages like
+    # nano, perl and rsync
+    environment.defaultPackages = lib.mkForce [ ];
+
+    # fileSystems."/".options = [ "noexec" ];
+
+    services.openssh = {
+      enable = true;
+      openFirewall = false;
+      passwordAuthentication = false;
+      kbdInteractiveAuthentication = false;
+      extraConfig = ''
+        AllowTcpForwarding yes
+        X11Forwarding no
+        AllowAgentForwarding no
+        AllowStreamLocalForwarding no
+        AuthenticationMethods publickey
+      '';
+    };
   };
 }