b12f restructure #1
|
@ -121,7 +121,7 @@ steps:
|
||||||
from_secret: iso_web_ssh_port
|
from_secret: iso_web_ssh_port
|
||||||
key:
|
key:
|
||||||
from_secret: iso_web_ssh_key
|
from_secret: iso_web_ssh_key
|
||||||
target: /srv/os
|
target: /srv/os/download
|
||||||
source:
|
source:
|
||||||
- /var/nix/iso-cache/*.iso
|
- /var/nix/iso-cache/*.iso
|
||||||
- /var/nix/iso-cache/*.iso.sha256
|
- /var/nix/iso-cache/*.iso.sha256
|
||||||
|
@ -143,6 +143,6 @@ volumes:
|
||||||
|
|
||||||
---
|
---
|
||||||
kind: signature
|
kind: signature
|
||||||
hmac: 7b0b56a97294cd563eee2bde56abeea6dd0928e01729980a25f8c165a3f6e0f6
|
hmac: 8823c7103f6a075bb291a497c7ab5d5db47a91f9bc7d8ef95329b5620c9cf91d
|
||||||
|
|
||||||
...
|
...
|
||||||
|
|
|
@ -36,6 +36,8 @@ in
|
||||||
wifi.backend = "iwd";
|
wifi.backend = "iwd";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
networking.firewall.enable = true;
|
||||||
|
|
||||||
# Customized binary caches list (with fallback to official binary cache)
|
# Customized binary caches list (with fallback to official binary cache)
|
||||||
nix.binaryCaches = cfg.binaryCaches;
|
nix.binaryCaches = cfg.binaryCaches;
|
||||||
nix.binaryCachePublicKeys = cfg.publicKeys;
|
nix.binaryCachePublicKeys = cfg.publicKeys;
|
||||||
|
|
|
@ -4,6 +4,8 @@
|
||||||
# For rage encryption, all hosts need a ssh key pair
|
# For rage encryption, all hosts need a ssh key pair
|
||||||
services.openssh = {
|
services.openssh = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
# If you don't want the host to have SSH actually opened up to the net,
|
||||||
|
# set `services.openssh.openFirewall` to false in your config.
|
||||||
openFirewall = lib.mkDefault true;
|
openFirewall = lib.mkDefault true;
|
||||||
passwordAuthentication = false;
|
passwordAuthentication = false;
|
||||||
};
|
};
|
||||||
|
|
|
@ -100,10 +100,15 @@
|
||||||
foreground = "0xe3e1e4";
|
foreground = "0xe3e1e4";
|
||||||
};
|
};
|
||||||
|
|
||||||
# Colors the cursor will use if `custom_cursor_colors` is true
|
# Cursor colors
|
||||||
|
#
|
||||||
|
# Colors which should be used to draw the terminal cursor.
|
||||||
|
#
|
||||||
|
# Allowed values are CellForeground/CellBackground, which reference the
|
||||||
|
# affected cell, or hexadecimal colors like #ff00ff.
|
||||||
cursor = {
|
cursor = {
|
||||||
text = "0x1a181a";
|
text = "CellBackground";
|
||||||
cursor = "0xe3e1e4";
|
cursor = "CellForeground";
|
||||||
};
|
};
|
||||||
|
|
||||||
# Colors used for the search bar and match highlighting.
|
# Colors used for the search bar and match highlighting.
|
||||||
|
@ -115,14 +120,25 @@
|
||||||
background = "0x1a181a";
|
background = "0x1a181a";
|
||||||
};
|
};
|
||||||
focused_match = {
|
focused_match = {
|
||||||
foreground = "0xe5c463";
|
foreground = "CellBackground";
|
||||||
background = "0xe3e1e4";
|
background = "CellForeground";
|
||||||
};
|
};
|
||||||
#bar =
|
#bar =
|
||||||
# background = "#c5c8c6";
|
# background = "#c5c8c6";
|
||||||
# foreground = "#1d1f21";
|
# foreground = "#1d1f21";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Selection colors
|
||||||
|
#
|
||||||
|
# Colors which should be used to draw the selection area.
|
||||||
|
#
|
||||||
|
# Allowed values are CellForeground/CellBackground, which reference the
|
||||||
|
# affected cell, or hexadecimal colors like #ff00ff.
|
||||||
|
selection = {
|
||||||
|
text = "0x1a181a";
|
||||||
|
background = "0xf85e84";
|
||||||
|
};
|
||||||
|
|
||||||
# Normal colors
|
# Normal colors
|
||||||
normal = {
|
normal = {
|
||||||
black = "0x1a181a";
|
black = "0x1a181a";
|
||||||
|
|
|
@ -25,5 +25,32 @@ in
|
||||||
services.tor.settings = {
|
services.tor.settings = {
|
||||||
UseBridges = true;
|
UseBridges = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# The options below are directly taken from or inspired by
|
||||||
|
# https://xeiaso.net/blog/paranoid-nixos-2021-07-18
|
||||||
|
|
||||||
|
# Don't set this if you need sftp
|
||||||
|
services.openssh.allowSFTP = false;
|
||||||
|
services.openssh.openFirewall = false; # Lock yourself out
|
||||||
|
|
||||||
|
# Limit the use of sudo to the group wheel
|
||||||
|
security.sudo.execWheelOnly = true;
|
||||||
|
|
||||||
|
# Remove the complete default environment of packages like
|
||||||
|
# nano, perl and rsync
|
||||||
|
environment.defaultPackages = lib.mkForce [ ];
|
||||||
|
|
||||||
|
# fileSystems."/".options = [ "noexec" ];
|
||||||
|
|
||||||
|
services.openssh = {
|
||||||
|
kbdInteractiveAuthentication = false;
|
||||||
|
extraConfig = ''
|
||||||
|
AllowTcpForwarding yes
|
||||||
|
X11Forwarding no
|
||||||
|
AllowAgentForwarding no
|
||||||
|
AllowStreamLocalForwarding no
|
||||||
|
AuthenticationMethods publickey
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue