reidlab/nix-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

reorganization + todo

Browse source
This commit is contained in:
Reid 2024-03-25 18:05:45 -07:00
parent 1696ae7411
commit b71ef36f57
2 changed files with 3 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
modules/security.nix
View file

@ -23,7 +23,7 @@ in {
# do not accept IP source packets (we are not a router)
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv6.conf.all.accept_source_route" = 0;
# Don't send ICMP redirects (again, we're not a router)
# don't send ICMP redirects (again, we're not a router)
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0;
# refuse ICMP redirects (MITM mitigations)
@ -52,8 +52,8 @@ in {
# prevents replacing the kernel without a reboot
protectKernelImage = true;
# allows unprivileged processes to speak to privileged processes (ex. nmtui, reboot)
polkit.enable = true;
rtkit.enable = true;
polkit.enable = true;
};
} // (mkIf cfg.useDoas {
security.sudo.enable = false;

1
readme.md
View file

@ -25,3 +25,4 @@ before committing, please run `nix flake check` and make sure everything is ok
- swap back to hardened kernel
- leverage nixos-hardware
- somehow add desktop evironments and per-user dotfiles while keeping a multi-user setup - we can always give this up if needed
- flake-parts