Be more paranoid

The paranoia mode now also enables the firewall and closes down a couple
of small openSSH holes. `noexec` on the whole FS is left out as it will
make every existing PubSolarOS installation panic.
This commit is contained in:
Benjamin Bädorf 2022-10-03 03:57:34 +02:00
parent 741e4bfef1
commit 8529a15177
No known key found for this signature in database
GPG key ID: 4406E80E13CD656C
2 changed files with 32 additions and 0 deletions

View file

@ -36,6 +36,8 @@ in
wifi.backend = "iwd";
};
networking.firewall.enable = true;
# Customized binary caches list (with fallback to official binary cache)
nix.binaryCaches = cfg.binaryCaches;
nix.binaryCachePublicKeys = cfg.publicKeys;

View file

@ -21,5 +21,35 @@ in
config = mkIf cfg.enable {
pub-solar.core.hibernation.enable = true;
services.logind.lidSwitch = "hibernate";
# The options below are directly taken from or inspired by
# https://xeiaso.net/blog/paranoid-nixos-2021-07-18
# Don't set this if you need sftp
services.openssh.allowSFTP = false;
services.openssh.openFirewall = false; # Lock yourself out
# Limit the use of sudo to the group wheel
security.sudo.execWheelOnly = true;
# Remove the complete default environment of packages like
# nano, perl and rsync
environment.defaultPackages = lib.mkForce [ ];
# fileSystems."/".options = [ "noexec" ];
services.openssh = {
enable = true;
openFirewall = false;
passwordAuthentication = false;
kbdInteractiveAuthentication = false;
extraConfig = ''
AllowTcpForwarding yes
X11Forwarding no
AllowAgentForwarding no
AllowStreamLocalForwarding no
AuthenticationMethods publickey
'';
};
};
}