41 lines
847 B
Nix
41 lines
847 B
Nix
{ username, ... }:
|
|
|
|
{
|
|
programs.gnupg.agent = {
|
|
enable = true;
|
|
enableSSHSupport = true;
|
|
};
|
|
|
|
/*
|
|
* Sudo is scheduled to be replaced by systemd's run0.
|
|
* The blocker for this is persistent authentication support.
|
|
*
|
|
* https://github.com/systemd/systemd/issues/33366
|
|
* https://github.com/polkit-org/polkit/issues/472
|
|
*/
|
|
security.sudo = {
|
|
enable = true;
|
|
execWheelOnly = true;
|
|
extraConfig = ''
|
|
Defaults lecture="never"
|
|
'';
|
|
};
|
|
|
|
security.apparmor.enable = true;
|
|
networking.firewall.enable = true;
|
|
|
|
/* Disable the root user */
|
|
users = {
|
|
users.root.hashedPassword = "!";
|
|
mutableUsers = false;
|
|
};
|
|
|
|
sops.age.keyFile = "/nix/config/keys.txt";
|
|
|
|
environment.persistence."/nix/persist" = {
|
|
users."${username}".directories = [
|
|
".ssh"
|
|
".local/share/gnupg"
|
|
];
|
|
};
|
|
}
|