🚀 reenable security
This commit is contained in:
parent
0398231342
commit
6eb6183e79
3 changed files with 20 additions and 12 deletions
|
|
@ -18,7 +18,7 @@
|
|||
feh = "feh --auto-zoom --scale-down";
|
||||
|
||||
us = "systemctl --user";
|
||||
rs = "sudo systemctl";
|
||||
rs = "doas systemctl";
|
||||
|
||||
ga = "git add";
|
||||
gb = "git branch";
|
||||
|
|
@ -31,10 +31,10 @@
|
|||
|
||||
ssh = "TERM=xterm-color ssh";
|
||||
|
||||
nix-switch = "sudo nixos-rebuild switch --flake ~/.dotfiles";
|
||||
nix-boot = "sudo nixos-rebuild boot --flake ~/.dotfiles";
|
||||
nix-switch = "doas nixos-rebuild switch --flake ~/.dotfiles";
|
||||
nix-boot = "doas nixos-rebuild boot --flake ~/.dotfiles";
|
||||
nix-lock =
|
||||
"sudo nixos-rebuild dry-activate --flake ~/.dotfiles --recreate-lock-file";
|
||||
"doas nixos-rebuild dry-activate --flake ~/.dotfiles --recreate-lock-file";
|
||||
};
|
||||
enableSyntaxHighlighting = true;
|
||||
enableAutosuggestions = true;
|
||||
|
|
|
|||
|
|
@ -1,7 +1,8 @@
|
|||
{ lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [ ./cachix.nix ./cli ./desktop ./editors ./services ];
|
||||
imports =
|
||||
[ ./cachix.nix ./cli ./desktop ./editors ./services ./security.nix ];
|
||||
|
||||
# USERS
|
||||
users.users.moritz = {
|
||||
|
|
@ -22,7 +23,7 @@
|
|||
time.timeZone = "Europe/Berlin";
|
||||
|
||||
# PACKAGES
|
||||
environment.systemPackages = with pkgs; [ vim wget firefox ];
|
||||
environment.systemPackages = with pkgs; [ vim wget firefox git ];
|
||||
|
||||
home-manager.users.moritz = {
|
||||
# Let Home Manager install and manage itself.
|
||||
|
|
|
|||
|
|
@ -25,12 +25,6 @@
|
|||
# Disable it, since we don't need it, and is a potential security concern.
|
||||
"kernel.sysrq" = 0;
|
||||
|
||||
# Restrict dmesg access for normal users
|
||||
"kernel.dmesg_restrict" = 1;
|
||||
|
||||
# Restrict printing of kernel addresses
|
||||
"kernel.kptr_restrict" = 2;
|
||||
|
||||
## TCP hardening
|
||||
# Prevent bogus ICMP errors from filling up logs.
|
||||
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
|
||||
|
|
@ -69,4 +63,17 @@
|
|||
|
||||
# So we don't have to do this later...
|
||||
security.acme.acceptTerms = true;
|
||||
|
||||
# Enable doas as an alternative to sudo
|
||||
security.doas = {
|
||||
enable = true;
|
||||
extraRules = [
|
||||
# Do not ask for a password again for some time after the user successfully authenticates.
|
||||
{
|
||||
groups = [ "wheel" "doas" ];
|
||||
persist = true;
|
||||
}
|
||||
];
|
||||
};
|
||||
security.sudo.enable = !config.security.doas.enable;
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue