Be more paranoid
The paranoia mode now also enables the firewall and closes down a couple of small openSSH holes. `noexec` on the whole FS is left out as it will make every existing PubSolarOS installation panic.
This commit is contained in:
parent
741e4bfef1
commit
8529a15177
|
@ -36,6 +36,8 @@ in
|
||||||
wifi.backend = "iwd";
|
wifi.backend = "iwd";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
networking.firewall.enable = true;
|
||||||
|
|
||||||
# Customized binary caches list (with fallback to official binary cache)
|
# Customized binary caches list (with fallback to official binary cache)
|
||||||
nix.binaryCaches = cfg.binaryCaches;
|
nix.binaryCaches = cfg.binaryCaches;
|
||||||
nix.binaryCachePublicKeys = cfg.publicKeys;
|
nix.binaryCachePublicKeys = cfg.publicKeys;
|
||||||
|
|
|
@ -21,5 +21,35 @@ in
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
pub-solar.core.hibernation.enable = true;
|
pub-solar.core.hibernation.enable = true;
|
||||||
services.logind.lidSwitch = "hibernate";
|
services.logind.lidSwitch = "hibernate";
|
||||||
|
|
||||||
|
# The options below are directly taken from or inspired by
|
||||||
|
# https://xeiaso.net/blog/paranoid-nixos-2021-07-18
|
||||||
|
|
||||||
|
# Don't set this if you need sftp
|
||||||
|
services.openssh.allowSFTP = false;
|
||||||
|
services.openssh.openFirewall = false; # Lock yourself out
|
||||||
|
|
||||||
|
# Limit the use of sudo to the group wheel
|
||||||
|
security.sudo.execWheelOnly = true;
|
||||||
|
|
||||||
|
# Remove the complete default environment of packages like
|
||||||
|
# nano, perl and rsync
|
||||||
|
environment.defaultPackages = lib.mkForce [ ];
|
||||||
|
|
||||||
|
# fileSystems."/".options = [ "noexec" ];
|
||||||
|
|
||||||
|
services.openssh = {
|
||||||
|
enable = true;
|
||||||
|
openFirewall = false;
|
||||||
|
passwordAuthentication = false;
|
||||||
|
kbdInteractiveAuthentication = false;
|
||||||
|
extraConfig = ''
|
||||||
|
AllowTcpForwarding yes
|
||||||
|
X11Forwarding no
|
||||||
|
AllowAgentForwarding no
|
||||||
|
AllowStreamLocalForwarding no
|
||||||
|
AuthenticationMethods publickey
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue