From 8529a15177466a14be333e0fdc83e39f3eb4ee07 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20B=C3=A4dorf?= Date: Mon, 3 Oct 2022 03:57:34 +0200 Subject: [PATCH 1/3] Be more paranoid The paranoia mode now also enables the firewall and closes down a couple of small openSSH holes. `noexec` on the whole FS is left out as it will make every existing PubSolarOS installation panic. --- modules/core/networking.nix | 2 ++ modules/paranoia/default.nix | 30 ++++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+) diff --git a/modules/core/networking.nix b/modules/core/networking.nix index edfef42..c5ec9cb 100644 --- a/modules/core/networking.nix +++ b/modules/core/networking.nix @@ -36,6 +36,8 @@ in wifi.backend = "iwd"; }; + networking.firewall.enable = true; + # Customized binary caches list (with fallback to official binary cache) nix.binaryCaches = cfg.binaryCaches; nix.binaryCachePublicKeys = cfg.publicKeys; diff --git a/modules/paranoia/default.nix b/modules/paranoia/default.nix index 699ab13..f5ceaea 100644 --- a/modules/paranoia/default.nix +++ b/modules/paranoia/default.nix @@ -21,5 +21,35 @@ in config = mkIf cfg.enable { pub-solar.core.hibernation.enable = true; services.logind.lidSwitch = "hibernate"; + + # The options below are directly taken from or inspired by + # https://xeiaso.net/blog/paranoid-nixos-2021-07-18 + + # Don't set this if you need sftp + services.openssh.allowSFTP = false; + services.openssh.openFirewall = false; # Lock yourself out + + # Limit the use of sudo to the group wheel + security.sudo.execWheelOnly = true; + + # Remove the complete default environment of packages like + # nano, perl and rsync + environment.defaultPackages = lib.mkForce [ ]; + + # fileSystems."/".options = [ "noexec" ]; + + services.openssh = { + enable = true; + openFirewall = false; + passwordAuthentication = false; + kbdInteractiveAuthentication = false; + extraConfig = '' + AllowTcpForwarding yes + X11Forwarding no + AllowAgentForwarding no + AllowStreamLocalForwarding no + AuthenticationMethods publickey + ''; + }; }; } From 6f3885d0caff8d36508080e4db60b4c62616c3f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20B=C3=A4dorf?= Date: Mon, 3 Oct 2022 04:07:48 +0200 Subject: [PATCH 2/3] Remove doubled openssh configs in paranoia module --- modules/paranoia/default.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/modules/paranoia/default.nix b/modules/paranoia/default.nix index f5ceaea..75275a1 100644 --- a/modules/paranoia/default.nix +++ b/modules/paranoia/default.nix @@ -39,8 +39,6 @@ in # fileSystems."/".options = [ "noexec" ]; services.openssh = { - enable = true; - openFirewall = false; passwordAuthentication = false; kbdInteractiveAuthentication = false; extraConfig = '' From 5da560ef56cb081b4dd3bae67a3a2e67421487cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20B=C3=A4dorf?= Date: Mon, 3 Oct 2022 04:55:14 +0200 Subject: [PATCH 3/3] Open up SSH by default --- modules/core/services.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/core/services.nix b/modules/core/services.nix index 61ba6ea..41aa45e 100644 --- a/modules/core/services.nix +++ b/modules/core/services.nix @@ -4,7 +4,9 @@ # For rage encryption, all hosts need a ssh key pair services.openssh = { enable = true; - openFirewall = lib.mkDefault false; + # If you don't want the host to have SSH actually opened up to the net, + # set `services.openssh.openFirewall` to false in your config. + openFirewall = lib.mkDefault true; }; # Service that makes Out of Memory Killer more effective