Merge branch 'main' into teutat3s

This commit is contained in:
teutat3s 2022-10-05 14:45:37 +02:00
commit 2b69ea89a4
Signed by: teutat3s
GPG key ID: 4FA1D3FA524F22C1
6 changed files with 56 additions and 8 deletions

View file

@ -36,6 +36,8 @@ in
wifi.backend = "iwd"; wifi.backend = "iwd";
}; };
networking.firewall.enable = true;
# Customized binary caches list (with fallback to official binary cache) # Customized binary caches list (with fallback to official binary cache)
nix.binaryCaches = cfg.binaryCaches; nix.binaryCaches = cfg.binaryCaches;
nix.binaryCachePublicKeys = cfg.publicKeys; nix.binaryCachePublicKeys = cfg.publicKeys;

View file

@ -4,7 +4,10 @@
# For rage encryption, all hosts need a ssh key pair # For rage encryption, all hosts need a ssh key pair
services.openssh = { services.openssh = {
enable = true; enable = true;
openFirewall = lib.mkDefault false; # If you don't want the host to have SSH actually opened up to the net,
# set `services.openssh.openFirewall` to false in your config.
openFirewall = lib.mkDefault true;
passwordAuthentication = false;
}; };
# Service that makes Out of Memory Killer more effective # Service that makes Out of Memory Killer more effective

View file

@ -100,10 +100,15 @@
foreground = "0xe3e1e4"; foreground = "0xe3e1e4";
}; };
# Colors the cursor will use if `custom_cursor_colors` is true # Cursor colors
#
# Colors which should be used to draw the terminal cursor.
#
# Allowed values are CellForeground/CellBackground, which reference the
# affected cell, or hexadecimal colors like #ff00ff.
cursor = { cursor = {
text = "0x1a181a"; text = "CellBackground";
cursor = "0xe3e1e4"; cursor = "CellForeground";
}; };
# Colors used for the search bar and match highlighting. # Colors used for the search bar and match highlighting.
@ -115,14 +120,25 @@
background = "0x1a181a"; background = "0x1a181a";
}; };
focused_match = { focused_match = {
foreground = "0xe5c463"; foreground = "CellBackground";
background = "0xe3e1e4"; background = "CellForeground";
}; };
#bar = #bar =
# background = "#c5c8c6"; # background = "#c5c8c6";
# foreground = "#1d1f21"; # foreground = "#1d1f21";
}; };
# Selection colors
#
# Colors which should be used to draw the selection area.
#
# Allowed values are CellForeground/CellBackground, which reference the
# affected cell, or hexadecimal colors like #ff00ff.
selection = {
text = "0x1a181a";
background = "0xf85e84";
};
# Normal colors # Normal colors
normal = { normal = {
black = "0x1a181a"; black = "0x1a181a";

View file

@ -21,5 +21,32 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
pub-solar.core.hibernation.enable = true; pub-solar.core.hibernation.enable = true;
services.logind.lidSwitch = "hibernate"; services.logind.lidSwitch = "hibernate";
# The options below are directly taken from or inspired by
# https://xeiaso.net/blog/paranoid-nixos-2021-07-18
# Don't set this if you need sftp
services.openssh.allowSFTP = false;
services.openssh.openFirewall = false; # Lock yourself out
# Limit the use of sudo to the group wheel
security.sudo.execWheelOnly = true;
# Remove the complete default environment of packages like
# nano, perl and rsync
environment.defaultPackages = lib.mkForce [ ];
# fileSystems."/".options = [ "noexec" ];
services.openssh = {
kbdInteractiveAuthentication = false;
extraConfig = ''
AllowTcpForwarding yes
X11Forwarding no
AllowAgentForwarding no
AllowStreamLocalForwarding no
AuthenticationMethods publickey
'';
};
}; };
} }

View file

@ -23,7 +23,7 @@ in
}; };
publicKeys = mkOption { publicKeys = mkOption {
description = "User SSH public keys"; description = "User SSH public keys";
type = types.listOf types.path; type = types.listOf types.str;
default = [ ]; default = [ ];
}; };
fullName = mkOption { fullName = mkOption {

View file

@ -26,7 +26,7 @@ in
]; ];
initialHashedPassword = if psCfg.user.password != null then psCfg.user.password else ""; initialHashedPassword = if psCfg.user.password != null then psCfg.user.password else "";
shell = pkgs.zsh; shell = pkgs.zsh;
openssh.authorizedKeys.keyFiles = if psCfg.user.publicKeys != null then psCfg.user.publicKeys else [ ]; openssh.authorizedKeys.keys = if psCfg.user.publicKeys != null then psCfg.user.publicKeys else [ ];
}; };
}; };
} }