From 241b943c3216073023b312b1a1297dc66dceb7af Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 23 Jul 2017 00:19:57 +0200 Subject: l iso: use networking.firewall --- lass/1systems/iso.nix | 44 ++++++++++++++++++++++++++++++-------------- 1 file changed, 30 insertions(+), 14 deletions(-) diff --git a/lass/1systems/iso.nix b/lass/1systems/iso.nix index 820ef74b8..4431a702c 100644 --- a/lass/1systems/iso.nix +++ b/lass/1systems/iso.nix @@ -151,25 +151,41 @@ with import ; systemd.services.sshd.wantedBy = mkForce [ "multi-user.target" ]; } { - krebs.iptables = { + networking.firewall = { enable = true; - tables = { - filter.INPUT.policy = "DROP"; - filter.FORWARD.policy = "DROP"; - filter.INPUT.rules = [ - { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; } - { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; } - { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; } - { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; } - { predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; precedence = -10000; } - { predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; precedence = -10000; } - { predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; precedence = -10000; } - ]; - }; + allowedTCPPorts = [ 22 ]; }; } { krebs.hidden-ssh.enable = true; } + { + services.xserver = { + enable = true; + #videoDrivers = mkForce [ "ati_unfree" ]; + + desktopManager.xterm.enable = false; + desktopManager.default = "none"; + displayManager.lightdm.enable = true; + displayManager.lightdm.autoLogin = { + enable = true; + user = "lass"; + }; + windowManager.default = "xmonad"; + windowManager.session = [{ + name = "xmonad"; + start = '' + ${pkgs.xorg.xhost}/bin/xhost +LOCAL: + ${pkgs.xmonad-lass}/bin/xmonad & + waitPID=$! + ''; + }]; + + layout = "us"; + xkbModel = "evdev"; + xkbVariant = "altgr-intl"; + xkbOptions = "caps:backspace"; + }; + } ]; } -- cgit v1.2.3