🚀 reenable security

2021-12-30 11:14:32 +01:00 · 2021-12-30 11:14:32 +01:00 · 6eb6183e79
parent 0398231342
commit 6eb6183e79
3 changed files with 20 additions and 12 deletions
--- a/modules/cli/zsh.nix
+++ b/modules/cli/zsh.nix
@ -18,7 +18,7 @@
          feh = "feh --auto-zoom --scale-down";

          us = "systemctl --user";
-          rs = "sudo systemctl";
+          rs = "doas systemctl";

          ga = "git add";
          gb = "git branch";
@ -31,10 +31,10 @@

          ssh = "TERM=xterm-color ssh";

-          nix-switch = "sudo nixos-rebuild switch --flake ~/.dotfiles";
-          nix-boot = "sudo nixos-rebuild boot --flake ~/.dotfiles";
+          nix-switch = "doas nixos-rebuild switch --flake ~/.dotfiles";
+          nix-boot = "doas nixos-rebuild boot --flake ~/.dotfiles";
          nix-lock =
-            "sudo nixos-rebuild dry-activate --flake ~/.dotfiles --recreate-lock-file";
+            "doas nixos-rebuild dry-activate --flake ~/.dotfiles --recreate-lock-file";
        };
        enableSyntaxHighlighting = true;
        enableAutosuggestions = true;
--- a/modules/default.nix
+++ b/modules/default.nix
@ -1,7 +1,8 @@
 { lib, pkgs, ... }:

 {
-  imports = [ ./cachix.nix ./cli ./desktop ./editors ./services ];
+  imports =
+    [ ./cachix.nix ./cli ./desktop ./editors ./services ./security.nix ];

  # USERS
  users.users.moritz = {
@ -22,7 +23,7 @@
  time.timeZone = "Europe/Berlin";

  # PACKAGES
-  environment.systemPackages = with pkgs; [ vim wget firefox ];
+  environment.systemPackages = with pkgs; [ vim wget firefox git ];

  home-manager.users.moritz = {
    # Let Home Manager install and manage itself.
--- a/modules/security.nix
+++ b/modules/security.nix
@ -25,12 +25,6 @@
    # Disable it, since we don't need it, and is a potential security concern.
    "kernel.sysrq" = 0;

-    # Restrict dmesg access for normal users
-    "kernel.dmesg_restrict" = 1;
-
-    # Restrict printing of kernel addresses
-    "kernel.kptr_restrict" = 2;
-
    ## TCP hardening
    # Prevent bogus ICMP errors from filling up logs.
    "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
@ -69,4 +63,17 @@

  # So we don't have to do this later...
  security.acme.acceptTerms = true;
+
+  # Enable doas as an alternative to sudo
+  security.doas = {
+    enable = true;
+    extraRules = [
+      # Do not ask for a password again for some time after the user successfully authenticates.
+      {
+        groups = [ "wheel" "doas" ];
+        persist = true;
+      }
+    ];
+  };
+  security.sudo.enable = !config.security.doas.enable;
 }