🚀 reenable security

This commit is contained in:
Moritz Böhme 2021-12-30 11:14:32 +01:00
parent 0398231342
commit 6eb6183e79
3 changed files with 20 additions and 12 deletions

View file

@ -18,7 +18,7 @@
feh = "feh --auto-zoom --scale-down"; feh = "feh --auto-zoom --scale-down";
us = "systemctl --user"; us = "systemctl --user";
rs = "sudo systemctl"; rs = "doas systemctl";
ga = "git add"; ga = "git add";
gb = "git branch"; gb = "git branch";
@ -31,10 +31,10 @@
ssh = "TERM=xterm-color ssh"; ssh = "TERM=xterm-color ssh";
nix-switch = "sudo nixos-rebuild switch --flake ~/.dotfiles"; nix-switch = "doas nixos-rebuild switch --flake ~/.dotfiles";
nix-boot = "sudo nixos-rebuild boot --flake ~/.dotfiles"; nix-boot = "doas nixos-rebuild boot --flake ~/.dotfiles";
nix-lock = nix-lock =
"sudo nixos-rebuild dry-activate --flake ~/.dotfiles --recreate-lock-file"; "doas nixos-rebuild dry-activate --flake ~/.dotfiles --recreate-lock-file";
}; };
enableSyntaxHighlighting = true; enableSyntaxHighlighting = true;
enableAutosuggestions = true; enableAutosuggestions = true;

View file

@ -1,7 +1,8 @@
{ lib, pkgs, ... }: { lib, pkgs, ... }:
{ {
imports = [ ./cachix.nix ./cli ./desktop ./editors ./services ]; imports =
[ ./cachix.nix ./cli ./desktop ./editors ./services ./security.nix ];
# USERS # USERS
users.users.moritz = { users.users.moritz = {
@ -22,7 +23,7 @@
time.timeZone = "Europe/Berlin"; time.timeZone = "Europe/Berlin";
# PACKAGES # PACKAGES
environment.systemPackages = with pkgs; [ vim wget firefox ]; environment.systemPackages = with pkgs; [ vim wget firefox git ];
home-manager.users.moritz = { home-manager.users.moritz = {
# Let Home Manager install and manage itself. # Let Home Manager install and manage itself.

View file

@ -25,12 +25,6 @@
# Disable it, since we don't need it, and is a potential security concern. # Disable it, since we don't need it, and is a potential security concern.
"kernel.sysrq" = 0; "kernel.sysrq" = 0;
# Restrict dmesg access for normal users
"kernel.dmesg_restrict" = 1;
# Restrict printing of kernel addresses
"kernel.kptr_restrict" = 2;
## TCP hardening ## TCP hardening
# Prevent bogus ICMP errors from filling up logs. # Prevent bogus ICMP errors from filling up logs.
"net.ipv4.icmp_ignore_bogus_error_responses" = 1; "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
@ -69,4 +63,17 @@
# So we don't have to do this later... # So we don't have to do this later...
security.acme.acceptTerms = true; security.acme.acceptTerms = true;
# Enable doas as an alternative to sudo
security.doas = {
enable = true;
extraRules = [
# Do not ask for a password again for some time after the user successfully authenticates.
{
groups = [ "wheel" "doas" ];
persist = true;
}
];
};
security.sudo.enable = !config.security.doas.enable;
} }