Add all of iogamaster modules

2024-06-15 09:59:52 +02:00
parent c97f22254a
commit fa99b32cad
120 changed files with 3587 additions and 254 deletions
--- a/modules/nixos/system/security/lockdown/default.nix
+++ b/modules/nixos/system/security/lockdown/default.nix
@ -0,0 +1,44 @@
+{
+  options,
+  config,
+  lib,
+  ...
+}:
+with lib;
+with lib.frajul;
+let
+  cfg = config.system.security.lockdown;
+in
+{
+  options.system.security.lockdown = {
+    enable = mkBoolOpt false "Whether or not to lockdown the system for maximum security";
+  };
+
+  config = mkIf cfg.enable {
+    # Ripped from:
+    # https://xeiaso.net/blog/paranoid-nixos-2021-07-18/
+
+    nix.allowedUsers = [ "@wheel" ];
+    environment.defaultPackages = lib.mkForce [ ]; # Heres a great little piece, it disables any non defined packages for this system
+
+    services.openssh = {
+      settings.passwordAuthentication = false;
+      allowSFTP = false; # Don't set this if you need sftp
+      challengeResponseAuthentication = false;
+      extraConfig = ''
+        AllowTcpForwarding yes
+        X11Forwarding no
+        AllowAgentForwarding no
+        AllowStreamLocalForwarding no
+        AuthenticationMethods publickey
+      '';
+    };
+
+    fileSystems."/".options = [ "noexec" ];
+    fileSystems."/etc/nixos".options = [ "noexec" ];
+    fileSystems."/srv".options = [ "noexec" ];
+    fileSystems."/var/log".options = [ "noexec" ];
+
+    environment.systemPackages = with pkgs; [ clamav ]; # PCI Compliance
+  };
+}