diff --git a/modules/core/networking.nix b/modules/core/networking.nix index edfef42d..c5ec9cbe 100644 --- a/modules/core/networking.nix +++ b/modules/core/networking.nix @@ -36,6 +36,8 @@ in wifi.backend = "iwd"; }; + networking.firewall.enable = true; + # Customized binary caches list (with fallback to official binary cache) nix.binaryCaches = cfg.binaryCaches; nix.binaryCachePublicKeys = cfg.publicKeys; diff --git a/modules/core/services.nix b/modules/core/services.nix index 61ba6ea0..41aa45e5 100644 --- a/modules/core/services.nix +++ b/modules/core/services.nix @@ -4,7 +4,9 @@ # For rage encryption, all hosts need a ssh key pair services.openssh = { enable = true; - openFirewall = lib.mkDefault false; + # If you don't want the host to have SSH actually opened up to the net, + # set `services.openssh.openFirewall` to false in your config. + openFirewall = lib.mkDefault true; }; # Service that makes Out of Memory Killer more effective diff --git a/modules/paranoia/default.nix b/modules/paranoia/default.nix index 699ab13e..75275a11 100644 --- a/modules/paranoia/default.nix +++ b/modules/paranoia/default.nix @@ -21,5 +21,33 @@ in config = mkIf cfg.enable { pub-solar.core.hibernation.enable = true; services.logind.lidSwitch = "hibernate"; + + # The options below are directly taken from or inspired by + # https://xeiaso.net/blog/paranoid-nixos-2021-07-18 + + # Don't set this if you need sftp + services.openssh.allowSFTP = false; + services.openssh.openFirewall = false; # Lock yourself out + + # Limit the use of sudo to the group wheel + security.sudo.execWheelOnly = true; + + # Remove the complete default environment of packages like + # nano, perl and rsync + environment.defaultPackages = lib.mkForce [ ]; + + # fileSystems."/".options = [ "noexec" ]; + + services.openssh = { + passwordAuthentication = false; + kbdInteractiveAuthentication = false; + extraConfig = '' + AllowTcpForwarding yes + X11Forwarding no + AllowAgentForwarding no + AllowStreamLocalForwarding no + AuthenticationMethods publickey + ''; + }; }; }