Browse Source

security: Some settings should always be enabled

Even if Phoebe security is off, force some settings to be on.  These
are settings that are appropriate even for developer testing VMs.
pjones/monitoring
Peter J. Jones 8 months ago
parent
commit
b9061e43a4
Signed by: Peter Jones <pjones@devalot.com> GPG Key ID: 9DAFAA8D01941E49
1 changed files with 25 additions and 0 deletions
  1. 25
    0
      modules/security/default.nix

+ 25
- 0
modules/security/default.nix View File

@@ -23,11 +23,28 @@ in

#### Implementation
config = mkMerge [

############################################################################
# Things to disable when not using security settings:
(mkIf (!cfg.enable) {
# Only really useful for development VMs:
networking.firewall.enable = false;
})

############################################################################
# Settings that are always enabled:
{
# Users must be created in Nix:
users.mutableUsers = false;

# Don't require or use any passwords:
security.pam.enableSSHAgentAuth = true;
services.openssh.passwordAuthentication = false;
services.openssh.permitRootLogin = "without-password";
}

############################################################################
# Settings to enable when security is enabled:
(mkIf cfg.enable {
# Firewall:
networking.firewall = {
@@ -36,6 +53,14 @@ in
pingLimit = "--limit 1/minute --limit-burst 5";
allowedTCPPorts = config.services.openssh.ports;
};

# SSH and authentication:
services.openssh.forwardX11 = false;
services.openssh.openFirewall = false; # Done above.

# Run-time kernel modifications:
# FIXME: enable after some testing.
# security.lockKernelModules = true;
})
];
}

Loading…
Cancel
Save