42 lines
1 KiB
Nix
42 lines
1 KiB
Nix
|
{
|
||
|
|
config,
|
||
|
|
lib,
|
||
|
|
pkgs,
|
||
|
|
...
|
||
|
|
}:
|
||
|
|
with lib; let
|
||
|
|
cfg = config.pub-solar.core;
|
||
|
|
psCfg = config.pub-solar;
|
||
|
|
in {
|
||
|
|
services.tor.settings = {
|
||
|
|
UseBridges = true;
|
||
|
|
};
|
||
|
|
|
||
|
|
# Always go to encrypted hibernation instead of sleep
|
||
|
|
services.logind.lidSwitch = "hibernate";
|
||
|
|
|
||
|
|
# The options below are directly taken from or inspired by
|
||
|
|
# https://xeiaso.net/blog/paranoid-nixos-2021-07-18
|
||
|
|
|
||
|
|
# Limit the use of sudo to the group wheel
|
||
|
|
security.sudo.execWheelOnly = true;
|
||
|
|
|
||
|
|
# Remove the complete default environment of packages like
|
||
|
|
# nano, perl and rsync
|
||
|
|
environment.defaultPackages = lib.mkForce [];
|
||
|
|
|
||
|
|
# fileSystems."/".options = [ "noexec" ];
|
||
|
|
|
||
|
|
# disable coredump that could be exploited later
|
||
|
|
# and also slow down the system when something crash
|
||
|
|
systemd.coredump.enable = false;
|
||
|
|
|
||
|
|
# required to run chromium
|
||
|
|
security.chromiumSuidSandbox.enable = true;
|
||
|
|
|
||
|
|
# enable antivirus clamav and
|
||
|
|
# keep the signatures' database updated
|
||
|
|
services.clamav.daemon.enable = true;
|
||
|
|
services.clamav.updater.enable = true;
|
||
|
|
}
|