Merge pull request 'Be more paranoid' (#139) from feature/more-paranoia into main
Reviewed-on: https://git.b12f.io/pub-solar/os/pulls/139 Reviewed-by: teutat3s <teutates@mailbox.org>
This commit is contained in:
commit
b7132c3744
|
@ -36,6 +36,8 @@ in
|
|||
wifi.backend = "iwd";
|
||||
};
|
||||
|
||||
networking.firewall.enable = true;
|
||||
|
||||
# Customized binary caches list (with fallback to official binary cache)
|
||||
nix.binaryCaches = cfg.binaryCaches;
|
||||
nix.binaryCachePublicKeys = cfg.publicKeys;
|
||||
|
|
|
@ -4,7 +4,9 @@
|
|||
# For rage encryption, all hosts need a ssh key pair
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
openFirewall = lib.mkDefault false;
|
||||
# If you don't want the host to have SSH actually opened up to the net,
|
||||
# set `services.openssh.openFirewall` to false in your config.
|
||||
openFirewall = lib.mkDefault true;
|
||||
};
|
||||
|
||||
# Service that makes Out of Memory Killer more effective
|
||||
|
|
|
@ -21,5 +21,33 @@ in
|
|||
config = mkIf cfg.enable {
|
||||
pub-solar.core.hibernation.enable = true;
|
||||
services.logind.lidSwitch = "hibernate";
|
||||
|
||||
# The options below are directly taken from or inspired by
|
||||
# https://xeiaso.net/blog/paranoid-nixos-2021-07-18
|
||||
|
||||
# Don't set this if you need sftp
|
||||
services.openssh.allowSFTP = false;
|
||||
services.openssh.openFirewall = false; # Lock yourself out
|
||||
|
||||
# Limit the use of sudo to the group wheel
|
||||
security.sudo.execWheelOnly = true;
|
||||
|
||||
# Remove the complete default environment of packages like
|
||||
# nano, perl and rsync
|
||||
environment.defaultPackages = lib.mkForce [ ];
|
||||
|
||||
# fileSystems."/".options = [ "noexec" ];
|
||||
|
||||
services.openssh = {
|
||||
passwordAuthentication = false;
|
||||
kbdInteractiveAuthentication = false;
|
||||
extraConfig = ''
|
||||
AllowTcpForwarding yes
|
||||
X11Forwarding no
|
||||
AllowAgentForwarding no
|
||||
AllowStreamLocalForwarding no
|
||||
AuthenticationMethods publickey
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue