Merge pull request 'Be more paranoid' (#139) from feature/more-paranoia into main

Reviewed-on: https://git.b12f.io/pub-solar/os/pulls/139
Reviewed-by: teutat3s <teutates@mailbox.org>
This commit is contained in:
Benjamin Bädorf 2022-10-03 18:36:05 +00:00
commit b7132c3744
No known key found for this signature in database
GPG key ID: 5FEAFA6A0FC8075D
3 changed files with 33 additions and 1 deletions

View file

@ -36,6 +36,8 @@ in
wifi.backend = "iwd"; wifi.backend = "iwd";
}; };
networking.firewall.enable = true;
# Customized binary caches list (with fallback to official binary cache) # Customized binary caches list (with fallback to official binary cache)
nix.binaryCaches = cfg.binaryCaches; nix.binaryCaches = cfg.binaryCaches;
nix.binaryCachePublicKeys = cfg.publicKeys; nix.binaryCachePublicKeys = cfg.publicKeys;

View file

@ -4,7 +4,9 @@
# For rage encryption, all hosts need a ssh key pair # For rage encryption, all hosts need a ssh key pair
services.openssh = { services.openssh = {
enable = true; enable = true;
openFirewall = lib.mkDefault false; # If you don't want the host to have SSH actually opened up to the net,
# set `services.openssh.openFirewall` to false in your config.
openFirewall = lib.mkDefault true;
}; };
# Service that makes Out of Memory Killer more effective # Service that makes Out of Memory Killer more effective

View file

@ -21,5 +21,33 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
pub-solar.core.hibernation.enable = true; pub-solar.core.hibernation.enable = true;
services.logind.lidSwitch = "hibernate"; services.logind.lidSwitch = "hibernate";
# The options below are directly taken from or inspired by
# https://xeiaso.net/blog/paranoid-nixos-2021-07-18
# Don't set this if you need sftp
services.openssh.allowSFTP = false;
services.openssh.openFirewall = false; # Lock yourself out
# Limit the use of sudo to the group wheel
security.sudo.execWheelOnly = true;
# Remove the complete default environment of packages like
# nano, perl and rsync
environment.defaultPackages = lib.mkForce [ ];
# fileSystems."/".options = [ "noexec" ];
services.openssh = {
passwordAuthentication = false;
kbdInteractiveAuthentication = false;
extraConfig = ''
AllowTcpForwarding yes
X11Forwarding no
AllowAgentForwarding no
AllowStreamLocalForwarding no
AuthenticationMethods publickey
'';
};
}; };
} }