Merge branch 'main' into teutat3s

modules/core/networking.nix

@@ -36,6 +36,8 @@ in
       wifi.backend = "iwd";
     };
 
+    networking.firewall.enable = true;
+
     # Customized binary caches list (with fallback to official binary cache)
     nix.binaryCaches = cfg.binaryCaches;
     nix.binaryCachePublicKeys = cfg.publicKeys;

modules/core/services.nix

@@ -4,7 +4,10 @@
   # For rage encryption, all hosts need a ssh key pair
   services.openssh = {
     enable = true;
-    openFirewall = lib.mkDefault false;
+    # If you don't want the host to have SSH actually opened up to the net,
+    # set `services.openssh.openFirewall` to false in your config.
+    openFirewall = lib.mkDefault true;
+    passwordAuthentication = false;
   };
 
   # Service that makes Out of Memory Killer more effective

modules/graphical/alacritty.nix

@@ -100,10 +100,15 @@
       foreground = "0xe3e1e4";
     };
 
-    # Colors the cursor will use if `custom_cursor_colors` is true
+    # Cursor colors
+    #
+    # Colors which should be used to draw the terminal cursor.
+    #
+    # Allowed values are CellForeground/CellBackground, which reference the
+    # affected cell, or hexadecimal colors like #ff00ff.
     cursor = {
-      text = "0x1a181a";
+      text = "CellBackground";
-      cursor = "0xe3e1e4";
+      cursor = "CellForeground";
     };
 
     # Colors used for the search bar and match highlighting.
@@ -115,14 +120,25 @@
         background = "0x1a181a";
       };
       focused_match = {
-        foreground = "0xe5c463";
+        foreground = "CellBackground";
-        background = "0xe3e1e4";
+        background = "CellForeground";
       };
       #bar =
       #  background = "#c5c8c6";
       #  foreground = "#1d1f21";
     };
 
+    # Selection colors
+    #
+    # Colors which should be used to draw the selection area.
+    #
+    # Allowed values are CellForeground/CellBackground, which reference the
+    # affected cell, or hexadecimal colors like #ff00ff.
+    selection = {
+      text = "0x1a181a";
+      background = "0xf85e84";
+    };
+
     # Normal colors
     normal = {
       black = "0x1a181a";

modules/paranoia/default.nix

@@ -21,5 +21,32 @@ in
   config = mkIf cfg.enable {
     pub-solar.core.hibernation.enable = true;
     services.logind.lidSwitch = "hibernate";
+
+    # The options below are directly taken from or inspired by
+    # https://xeiaso.net/blog/paranoid-nixos-2021-07-18
+
+    # Don't set this if you need sftp
+    services.openssh.allowSFTP = false;
+    services.openssh.openFirewall = false; # Lock yourself out
+
+    # Limit the use of sudo to the group wheel
+    security.sudo.execWheelOnly = true;
+
+    # Remove the complete default environment of packages like
+    # nano, perl and rsync
+    environment.defaultPackages = lib.mkForce [ ];
+
+    # fileSystems."/".options = [ "noexec" ];
+
+    services.openssh = {
+      kbdInteractiveAuthentication = false;
+      extraConfig = ''
+        AllowTcpForwarding yes
+        X11Forwarding no
+        AllowAgentForwarding no
+        AllowStreamLocalForwarding no
+        AuthenticationMethods publickey
+      '';
+    };
   };
 }

modules/user/default.nix

@@ -23,7 +23,7 @@ in
       };
       publicKeys = mkOption {
         description = "User SSH public keys";
-        type = types.listOf types.path;
+        type = types.listOf types.str;
         default = [ ];
       };
       fullName = mkOption {

profiles/base-user/default.nix

@@ -26,7 +26,7 @@ in
       ];
       initialHashedPassword = if psCfg.user.password != null then psCfg.user.password else "";
       shell = pkgs.zsh;
-      openssh.authorizedKeys.keyFiles = if psCfg.user.publicKeys != null then psCfg.user.publicKeys else [ ];
+      openssh.authorizedKeys.keys = if psCfg.user.publicKeys != null then psCfg.user.publicKeys else [ ];
     };
   };
 }