Commit fd00da7f authored by fpletz's avatar fpletz 🚧
Browse files

luftschleuse: more hardening

parent 05345a36
...@@ -37,7 +37,7 @@ in ...@@ -37,7 +37,7 @@ in
fsType = "ext4"; fsType = "ext4";
options = [ "noatime" ]; options = [ "noatime" ];
}; };
"/boot/firmware = { "/boot/firmware" = {
device = "/dev/disk/by-label/FIRMWARE"; device = "/dev/disk/by-label/FIRMWARE";
fsType = "vfat"; fsType = "vfat";
}; };
...@@ -54,6 +54,8 @@ in ...@@ -54,6 +54,8 @@ in
firewall.trustedInterfaces = [ "wlan0" "eth0" ]; firewall.trustedInterfaces = [ "wlan0" "eth0" ];
}; };
services.resolved.enable = false;
systemd.network.networks."40-wlan0" = { systemd.network.networks."40-wlan0" = {
linkConfig.RequiredForOnline = false; linkConfig.RequiredForOnline = false;
}; };
...@@ -67,6 +69,7 @@ in ...@@ -67,6 +69,7 @@ in
services.openssh.extraConfig = lib.concatMapStrings (t: '' services.openssh.extraConfig = lib.concatMapStrings (t: ''
Match User ${t.user} Match User ${t.user}
DisableForwarding yes
ForceCommand ${pkgs.writeScript "${t.user}.sh" '' ForceCommand ${pkgs.writeScript "${t.user}.sh" ''
#!${pkgs.stdenv.shell} #!${pkgs.stdenv.shell}
set -o errexit set -o errexit
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment