Be more paranoid

The paranoia mode now also enables the firewall and closes down a couple
of small openSSH holes. `noexec` on the whole FS is left out as it will
make every existing PubSolarOS installation panic.

modules/core/networking.nix

@@ -36,6 +36,8 @@ in
       wifi.backend = "iwd";
     };
 
+    networking.firewall.enable = true;
+
     # Customized binary caches list (with fallback to official binary cache)
     nix.binaryCaches = cfg.binaryCaches;
     nix.binaryCachePublicKeys = cfg.publicKeys;

modules/paranoia/default.nix

@@ -21,5 +21,35 @@ in
   config = mkIf cfg.enable {
     pub-solar.core.hibernation.enable = true;
     services.logind.lidSwitch = "hibernate";
+
+    # The options below are directly taken from or inspired by
+    # https://xeiaso.net/blog/paranoid-nixos-2021-07-18
+
+    # Don't set this if you need sftp
+    services.openssh.allowSFTP = false;
+    services.openssh.openFirewall = false; # Lock yourself out
+
+    # Limit the use of sudo to the group wheel
+    security.sudo.execWheelOnly = true;
+
+    # Remove the complete default environment of packages like
+    # nano, perl and rsync
+    environment.defaultPackages = lib.mkForce [ ];
+
+    # fileSystems."/".options = [ "noexec" ];
+
+    services.openssh = {
+      enable = true;
+      openFirewall = false;
+      passwordAuthentication = false;
+      kbdInteractiveAuthentication = false;
+      extraConfig = ''
+        AllowTcpForwarding yes
+        X11Forwarding no
+        AllowAgentForwarding no
+        AllowStreamLocalForwarding no
+        AuthenticationMethods publickey
+      '';
+    };
   };
 }