Harald Hoyer
b845b617b0
This commit removes a predefined TCP port (8080) from the allowed list in the networking firewall. This choice will increase the security features by avoiding any unnecessary open ports in the firewall configuration.
62 lines
1.5 KiB
Nix
62 lines
1.5 KiB
Nix
{ pkgs, lib, config, ... }:
|
|
with lib;
|
|
with lib.metacfg;
|
|
{
|
|
imports = [
|
|
./hardware-configuration.nix
|
|
# ./atticd.nix
|
|
];
|
|
|
|
boot.kernel.sysctl."net.ipv4.conf.all.route_localnet" = 1;
|
|
boot.kernelPackages = lib.mkOverride 0 pkgs.linuxPackages_latest;
|
|
|
|
networking.firewall.extraCommands = ''
|
|
iptables -t nat -A OUTPUT -o lo -p tcp --dport 8081 -j DNAT --to-destination 192.168.122.1:8081
|
|
iptables -t nat -A POSTROUTING -j MASQUERADE
|
|
'';
|
|
|
|
metacfg = {
|
|
base.enable = true;
|
|
nix-ld.enable = true;
|
|
nix.enable = true;
|
|
aesmd_dcap.enable = true;
|
|
podman.enable = true;
|
|
user.extraGroups = [ "docker" "sgx" ];
|
|
};
|
|
|
|
environment.etc."sgx_default_qcnl.conf".text = ''
|
|
{
|
|
"pccs_url": "https://192.168.122.1:8081/sgx/certification/v4/",
|
|
"use_secure_cert": false,
|
|
"collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/",
|
|
"retry_times": 6,
|
|
"retry_delay": 10,
|
|
"pck_cache_expire_hours": 168,
|
|
"verify_collateral_cache_expire_hours": 168,
|
|
"local_cache_only": false
|
|
}
|
|
'';
|
|
|
|
virtualisation = {
|
|
docker.enable = true;
|
|
podman.dockerCompat = false;
|
|
};
|
|
|
|
system.autoUpgrade = {
|
|
enable = true;
|
|
operation = "switch";
|
|
allowReboot = true;
|
|
};
|
|
|
|
security.tpm2.enable = false;
|
|
security.tpm2.abrmd.enable = false;
|
|
|
|
networking.wireless.enable = false; # Enables wireless support via wpa_supplicant.
|
|
|
|
networking.firewall.allowPing = true;
|
|
|
|
powerManagement.cpuFreqGovernor = "ondemand";
|
|
|
|
system.stateVersion = "23.11";
|
|
}
|