reidlab/nix-dotfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

fully tabs2space

Browse source
This commit is contained in:
Reid 2024-04-02 23:11:47 -07:00
parent 38839cdcbf
commit 9743295319
9 changed files with 79 additions and 78 deletions
Download patch file Download diff file Expand all files Collapse all files

32
modules/security.nix
View file

@ -9,13 +9,13 @@ in {
};
config = mkIf cfg.enable {
boot = {
tmp.useTmpfs = lib.mkDefault true;
tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
kernel.sysctl = {
# magic sysrq key, allows low-level commands through keyboard input
"kernel.sysrq" = 0;
boot = {
tmp.useTmpfs = lib.mkDefault true;
tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
kernel.sysctl = {
# magic sysrq key, allows low-level commands through keyboard input
"kernel.sysrq" = 0;
## TCP hardening
# prevent bogus ICMP errors from filling up logs
@ -50,21 +50,21 @@ in {
security = {
# prevents replacing the kernel without a reboot
protectKernelImage = true;
# rtkit allows unprivileged processes to use realtime scheduling
protectKernelImage = true;
# rtkit allows unprivileged processes to use realtime scheduling
# polkit allows unprivileged processes to speak to privileged processes (ex. nmtui, reboot)
rtkit.enable = true;
rtkit.enable = true;
polkit.enable = true;
};
# personal computer? no firewall ty :3
networking.firewall.enable = false;
} // (mkIf cfg.useDoas {
security.sudo.enable = false;
security.doas.enable = true;
security.doas.extraRules = [
{ users = [ config.user.name ]; noPass = true; persist = false; keepEnv = true; }
];
environment.systemPackages = with pkgs; [ doas-sudo-shim ];
security.sudo.enable = false;
security.doas.enable = true;
security.doas.extraRules = [
{ users = [ config.user.name ]; noPass = true; persist = false; keepEnv = true; }
];
environment.systemPackages = with pkgs; [ doas-sudo-shim ];
});
}