nebula: sourcephile.fr: fix cert path

[julm/julm-nix.git] / nixos / profiles / security.nix

diff --git a/nixos/profiles/security.nix b/nixos/profiles/security.nix
index 7f7acc5e03a7f4fdb7b798603fb9dd053dd92a0e..f5a6c543ded3b1d4005a1129c9f2199a6ab683cb 100644 (file)
--- a/nixos/profiles/security.nix
+++ b/nixos/profiles/security.nix
@@ -7,12 +7,14 @@ with lib;
   #boot.kernelPackages = pkgs.linuxPackages_latest_hardened;
   #environment.memoryAllocator.provider = "libc";
   nix.settings.allowed-users = [ "@users" ];
-  nix.settings.trusted-substituters = [
+  /*
+    nix.settings.substituters = [
     "https://nix-community.cachix.org"
-  ];
-  nix.settings.trusted-public-keys = [
-    "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-  ];
+    ];
+    nix.settings.trusted-public-keys = [
+    "nix-community.cachix.org:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+    ];
+  */
   nix.settings.trusted-users = [
     "root"
     "@wheel"
@@ -178,6 +180,14 @@ with lib;
     };
     openFirewall = mkDefault false;
     settings = {
+      Ciphers = [
+        # Not hardware accelerated, but fast enough and somehow more secure
+        # (packet sizes are encrypted and less vulnerable to timing attacks).
+        "chacha20-poly1305@openssh.com"
+        # A bit more throughput.
+        "aes128-gcm@openssh.com"
+        "aes256-gcm@openssh.com"
+      ];
       KbdInteractiveAuthentication = mkDefault false;
       # Use key exchange algorithms recommended by `nixpkgs#ssh-audit`
       KexAlgorithms = [