From 6eb6183e795f93cf1b08bad2ac860c83fced48b4 Mon Sep 17 00:00:00 2001 From: MoritzBoehme Date: Thu, 30 Dec 2021 11:14:32 +0100 Subject: [PATCH] :rocket: reenable security --- modules/cli/zsh.nix | 8 ++++---- modules/default.nix | 5 +++-- modules/security.nix | 19 +++++++++++++------ 3 files changed, 20 insertions(+), 12 deletions(-) diff --git a/modules/cli/zsh.nix b/modules/cli/zsh.nix index a57086c..fa9fa8c 100644 --- a/modules/cli/zsh.nix +++ b/modules/cli/zsh.nix @@ -18,7 +18,7 @@ feh = "feh --auto-zoom --scale-down"; us = "systemctl --user"; - rs = "sudo systemctl"; + rs = "doas systemctl"; ga = "git add"; gb = "git branch"; @@ -31,10 +31,10 @@ ssh = "TERM=xterm-color ssh"; - nix-switch = "sudo nixos-rebuild switch --flake ~/.dotfiles"; - nix-boot = "sudo nixos-rebuild boot --flake ~/.dotfiles"; + nix-switch = "doas nixos-rebuild switch --flake ~/.dotfiles"; + nix-boot = "doas nixos-rebuild boot --flake ~/.dotfiles"; nix-lock = - "sudo nixos-rebuild dry-activate --flake ~/.dotfiles --recreate-lock-file"; + "doas nixos-rebuild dry-activate --flake ~/.dotfiles --recreate-lock-file"; }; enableSyntaxHighlighting = true; enableAutosuggestions = true; diff --git a/modules/default.nix b/modules/default.nix index c4a28a7..bc45e0d 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,7 +1,8 @@ { lib, pkgs, ... }: { - imports = [ ./cachix.nix ./cli ./desktop ./editors ./services ]; + imports = + [ ./cachix.nix ./cli ./desktop ./editors ./services ./security.nix ]; # USERS users.users.moritz = { @@ -22,7 +23,7 @@ time.timeZone = "Europe/Berlin"; # PACKAGES - environment.systemPackages = with pkgs; [ vim wget firefox ]; + environment.systemPackages = with pkgs; [ vim wget firefox git ]; home-manager.users.moritz = { # Let Home Manager install and manage itself. diff --git a/modules/security.nix b/modules/security.nix index deed883..fefd484 100644 --- a/modules/security.nix +++ b/modules/security.nix @@ -25,12 +25,6 @@ # Disable it, since we don't need it, and is a potential security concern. "kernel.sysrq" = 0; - # Restrict dmesg access for normal users - "kernel.dmesg_restrict" = 1; - - # Restrict printing of kernel addresses - "kernel.kptr_restrict" = 2; - ## TCP hardening # Prevent bogus ICMP errors from filling up logs. "net.ipv4.icmp_ignore_bogus_error_responses" = 1; @@ -69,4 +63,17 @@ # So we don't have to do this later... security.acme.acceptTerms = true; + + # Enable doas as an alternative to sudo + security.doas = { + enable = true; + extraRules = [ + # Do not ask for a password again for some time after the user successfully authenticates. + { + groups = [ "wheel" "doas" ]; + persist = true; + } + ]; + }; + security.sudo.enable = !config.security.doas.enable; }