b12f restructure #1
|
@ -121,7 +121,7 @@ steps:
|
|||
from_secret: iso_web_ssh_port
|
||||
key:
|
||||
from_secret: iso_web_ssh_key
|
||||
target: /srv/os
|
||||
target: /srv/os/download
|
||||
source:
|
||||
- /var/nix/iso-cache/*.iso
|
||||
- /var/nix/iso-cache/*.iso.sha256
|
||||
|
@ -143,6 +143,6 @@ volumes:
|
|||
|
||||
---
|
||||
kind: signature
|
||||
hmac: 7b0b56a97294cd563eee2bde56abeea6dd0928e01729980a25f8c165a3f6e0f6
|
||||
hmac: 8823c7103f6a075bb291a497c7ab5d5db47a91f9bc7d8ef95329b5620c9cf91d
|
||||
|
||||
...
|
||||
|
|
|
@ -36,6 +36,8 @@ in
|
|||
wifi.backend = "iwd";
|
||||
};
|
||||
|
||||
networking.firewall.enable = true;
|
||||
|
||||
# Customized binary caches list (with fallback to official binary cache)
|
||||
nix.binaryCaches = cfg.binaryCaches;
|
||||
nix.binaryCachePublicKeys = cfg.publicKeys;
|
||||
|
|
|
@ -4,6 +4,8 @@
|
|||
# For rage encryption, all hosts need a ssh key pair
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
# If you don't want the host to have SSH actually opened up to the net,
|
||||
# set `services.openssh.openFirewall` to false in your config.
|
||||
openFirewall = lib.mkDefault true;
|
||||
passwordAuthentication = false;
|
||||
};
|
||||
|
|
|
@ -100,10 +100,15 @@
|
|||
foreground = "0xe3e1e4";
|
||||
};
|
||||
|
||||
# Colors the cursor will use if `custom_cursor_colors` is true
|
||||
# Cursor colors
|
||||
#
|
||||
# Colors which should be used to draw the terminal cursor.
|
||||
#
|
||||
# Allowed values are CellForeground/CellBackground, which reference the
|
||||
# affected cell, or hexadecimal colors like #ff00ff.
|
||||
cursor = {
|
||||
text = "0x1a181a";
|
||||
cursor = "0xe3e1e4";
|
||||
text = "CellBackground";
|
||||
cursor = "CellForeground";
|
||||
};
|
||||
|
||||
# Colors used for the search bar and match highlighting.
|
||||
|
@ -115,14 +120,25 @@
|
|||
background = "0x1a181a";
|
||||
};
|
||||
focused_match = {
|
||||
foreground = "0xe5c463";
|
||||
background = "0xe3e1e4";
|
||||
foreground = "CellBackground";
|
||||
background = "CellForeground";
|
||||
};
|
||||
#bar =
|
||||
# background = "#c5c8c6";
|
||||
# foreground = "#1d1f21";
|
||||
};
|
||||
|
||||
# Selection colors
|
||||
#
|
||||
# Colors which should be used to draw the selection area.
|
||||
#
|
||||
# Allowed values are CellForeground/CellBackground, which reference the
|
||||
# affected cell, or hexadecimal colors like #ff00ff.
|
||||
selection = {
|
||||
text = "0x1a181a";
|
||||
background = "0xf85e84";
|
||||
};
|
||||
|
||||
# Normal colors
|
||||
normal = {
|
||||
black = "0x1a181a";
|
||||
|
|
|
@ -25,5 +25,32 @@ in
|
|||
services.tor.settings = {
|
||||
UseBridges = true;
|
||||
};
|
||||
|
||||
# The options below are directly taken from or inspired by
|
||||
# https://xeiaso.net/blog/paranoid-nixos-2021-07-18
|
||||
|
||||
# Don't set this if you need sftp
|
||||
services.openssh.allowSFTP = false;
|
||||
services.openssh.openFirewall = false; # Lock yourself out
|
||||
|
||||
# Limit the use of sudo to the group wheel
|
||||
security.sudo.execWheelOnly = true;
|
||||
|
||||
# Remove the complete default environment of packages like
|
||||
# nano, perl and rsync
|
||||
environment.defaultPackages = lib.mkForce [ ];
|
||||
|
||||
# fileSystems."/".options = [ "noexec" ];
|
||||
|
||||
services.openssh = {
|
||||
kbdInteractiveAuthentication = false;
|
||||
extraConfig = ''
|
||||
AllowTcpForwarding yes
|
||||
X11Forwarding no
|
||||
AllowAgentForwarding no
|
||||
AllowStreamLocalForwarding no
|
||||
AuthenticationMethods publickey
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue