reidlab/nix-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

security.nix adjustments...

Browse source
This commit is contained in:
Reid 2024-03-27 23:10:34 -07:00
parent cf60caa311
commit 8251040b04
1 changed files with 6 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

8
modules/security.nix
View file

@ -5,7 +5,7 @@ let
cfg = config.modules.security; cfg = config.modules.security;
in { in {
options.modules.security = { options.modules.security = {
useDoas = mkEnableOption "use doas instead of sudo"; useDoas = mkEnableOption "use opendoas instead of sudo";
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -51,10 +51,14 @@ in {
security = { security = {
# prevents replacing the kernel without a reboot # prevents replacing the kernel without a reboot
protectKernelImage = true; protectKernelImage = true;
# allows unprivileged processes to speak to privileged processes (ex. nmtui, reboot) # rtkit allows unprivileged processes to use realtime scheduling
# polkit allows unprivileged processes to speak to privileged processes (ex. nmtui, reboot)
rtkit.enable = true; rtkit.enable = true;
polkit.enable = true; polkit.enable = true;
}; };
# while this is on by default, i am going to explicitly specify this
networking.firewall.enable = true;
} // (mkIf cfg.useDoas { } // (mkIf cfg.useDoas {
security.sudo.enable = false; security.sudo.enable = false;
security.doas.enable = true; security.doas.enable = true;