🚀 reenable security
This commit is contained in:
parent
0398231342
commit
6eb6183e79
3 changed files with 20 additions and 12 deletions
|
@ -18,7 +18,7 @@
|
||||||
feh = "feh --auto-zoom --scale-down";
|
feh = "feh --auto-zoom --scale-down";
|
||||||
|
|
||||||
us = "systemctl --user";
|
us = "systemctl --user";
|
||||||
rs = "sudo systemctl";
|
rs = "doas systemctl";
|
||||||
|
|
||||||
ga = "git add";
|
ga = "git add";
|
||||||
gb = "git branch";
|
gb = "git branch";
|
||||||
|
@ -31,10 +31,10 @@
|
||||||
|
|
||||||
ssh = "TERM=xterm-color ssh";
|
ssh = "TERM=xterm-color ssh";
|
||||||
|
|
||||||
nix-switch = "sudo nixos-rebuild switch --flake ~/.dotfiles";
|
nix-switch = "doas nixos-rebuild switch --flake ~/.dotfiles";
|
||||||
nix-boot = "sudo nixos-rebuild boot --flake ~/.dotfiles";
|
nix-boot = "doas nixos-rebuild boot --flake ~/.dotfiles";
|
||||||
nix-lock =
|
nix-lock =
|
||||||
"sudo nixos-rebuild dry-activate --flake ~/.dotfiles --recreate-lock-file";
|
"doas nixos-rebuild dry-activate --flake ~/.dotfiles --recreate-lock-file";
|
||||||
};
|
};
|
||||||
enableSyntaxHighlighting = true;
|
enableSyntaxHighlighting = true;
|
||||||
enableAutosuggestions = true;
|
enableAutosuggestions = true;
|
||||||
|
|
|
@ -1,7 +1,8 @@
|
||||||
{ lib, pkgs, ... }:
|
{ lib, pkgs, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
imports = [ ./cachix.nix ./cli ./desktop ./editors ./services ];
|
imports =
|
||||||
|
[ ./cachix.nix ./cli ./desktop ./editors ./services ./security.nix ];
|
||||||
|
|
||||||
# USERS
|
# USERS
|
||||||
users.users.moritz = {
|
users.users.moritz = {
|
||||||
|
@ -22,7 +23,7 @@
|
||||||
time.timeZone = "Europe/Berlin";
|
time.timeZone = "Europe/Berlin";
|
||||||
|
|
||||||
# PACKAGES
|
# PACKAGES
|
||||||
environment.systemPackages = with pkgs; [ vim wget firefox ];
|
environment.systemPackages = with pkgs; [ vim wget firefox git ];
|
||||||
|
|
||||||
home-manager.users.moritz = {
|
home-manager.users.moritz = {
|
||||||
# Let Home Manager install and manage itself.
|
# Let Home Manager install and manage itself.
|
||||||
|
|
|
@ -25,12 +25,6 @@
|
||||||
# Disable it, since we don't need it, and is a potential security concern.
|
# Disable it, since we don't need it, and is a potential security concern.
|
||||||
"kernel.sysrq" = 0;
|
"kernel.sysrq" = 0;
|
||||||
|
|
||||||
# Restrict dmesg access for normal users
|
|
||||||
"kernel.dmesg_restrict" = 1;
|
|
||||||
|
|
||||||
# Restrict printing of kernel addresses
|
|
||||||
"kernel.kptr_restrict" = 2;
|
|
||||||
|
|
||||||
## TCP hardening
|
## TCP hardening
|
||||||
# Prevent bogus ICMP errors from filling up logs.
|
# Prevent bogus ICMP errors from filling up logs.
|
||||||
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
|
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
|
||||||
|
@ -69,4 +63,17 @@
|
||||||
|
|
||||||
# So we don't have to do this later...
|
# So we don't have to do this later...
|
||||||
security.acme.acceptTerms = true;
|
security.acme.acceptTerms = true;
|
||||||
|
|
||||||
|
# Enable doas as an alternative to sudo
|
||||||
|
security.doas = {
|
||||||
|
enable = true;
|
||||||
|
extraRules = [
|
||||||
|
# Do not ask for a password again for some time after the user successfully authenticates.
|
||||||
|
{
|
||||||
|
groups = [ "wheel" "doas" ];
|
||||||
|
persist = true;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
security.sudo.enable = !config.security.doas.enable;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue