Merge pull request 'Be more paranoid' (#139) from feature/more-paranoia into main

Reviewed-on: https://git.b12f.io/pub-solar/os/pulls/139
Reviewed-by: teutat3s <teutates@mailbox.org>

modules/core/networking.nix

@@ -36,6 +36,8 @@ in
       wifi.backend = "iwd";
     };
 
+    networking.firewall.enable = true;
+
     # Customized binary caches list (with fallback to official binary cache)
     nix.binaryCaches = cfg.binaryCaches;
     nix.binaryCachePublicKeys = cfg.publicKeys;

modules/core/services.nix

@@ -4,7 +4,9 @@
   # For rage encryption, all hosts need a ssh key pair
   services.openssh = {
     enable = true;
-    openFirewall = lib.mkDefault false;
+    # If you don't want the host to have SSH actually opened up to the net,
+    # set `services.openssh.openFirewall` to false in your config.
+    openFirewall = lib.mkDefault true;
   };
 
   # Service that makes Out of Memory Killer more effective

modules/paranoia/default.nix

@@ -21,5 +21,33 @@ in
   config = mkIf cfg.enable {
     pub-solar.core.hibernation.enable = true;
     services.logind.lidSwitch = "hibernate";
+
+    # The options below are directly taken from or inspired by
+    # https://xeiaso.net/blog/paranoid-nixos-2021-07-18
+
+    # Don't set this if you need sftp
+    services.openssh.allowSFTP = false;
+    services.openssh.openFirewall = false; # Lock yourself out
+
+    # Limit the use of sudo to the group wheel
+    security.sudo.execWheelOnly = true;
+
+    # Remove the complete default environment of packages like
+    # nano, perl and rsync
+    environment.defaultPackages = lib.mkForce [ ];
+
+    # fileSystems."/".options = [ "noexec" ];
+
+    services.openssh = {
+      passwordAuthentication = false;
+      kbdInteractiveAuthentication = false;
+      extraConfig = ''
+        AllowTcpForwarding yes
+        X11Forwarding no
+        AllowAgentForwarding no
+        AllowStreamLocalForwarding no
+        AuthenticationMethods publickey
+      '';
+    };
   };
 }