A layer on top of the NixOS module system to make some tasks simpler.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

default.nix 1.8KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566
  1. { config, lib, pkgs, ...}:
  2. # Bring in library functions:
  3. with lib;
  4. let
  5. cfg = config.phoebe.security;
  6. in
  7. {
  8. #### Interface
  9. options.phoebe.security = {
  10. enable = mkOption {
  11. type = types.bool;
  12. default = true;
  13. description = ''
  14. Whether or not to enable security settings. Usually this will
  15. be left at the default value of true. However, for testing
  16. inside virtual machines you probably wnat to turn this off.
  17. '';
  18. };
  19. };
  20. #### Implementation
  21. config = mkMerge [
  22. ############################################################################
  23. # Things to disable when not using security settings:
  24. (mkIf (!cfg.enable) {
  25. # Only really useful for development VMs:
  26. networking.firewall.enable = false;
  27. })
  28. ############################################################################
  29. # Settings that are always enabled:
  30. {
  31. # Users must be created in Nix:
  32. users.mutableUsers = false;
  33. # Don't require or use any passwords:
  34. security.pam.enableSSHAgentAuth = true;
  35. services.openssh.passwordAuthentication = false;
  36. services.openssh.permitRootLogin = "without-password";
  37. }
  38. ############################################################################
  39. # Settings to enable when security is enabled:
  40. (mkIf cfg.enable {
  41. # Firewall:
  42. networking.firewall = {
  43. enable = true;
  44. allowPing = true;
  45. pingLimit = "--limit 1/minute --limit-burst 5";
  46. allowedTCPPorts = config.services.openssh.ports;
  47. };
  48. # SSH and authentication:
  49. services.openssh.forwardX11 = false;
  50. services.openssh.openFirewall = false; # Done above.
  51. # Run-time kernel modifications:
  52. # FIXME: enable after some testing.
  53. # security.lockKernelModules = true;
  54. })
  55. ];
  56. }