aboutsummaryrefslogtreecommitdiff
path: root/profiles/disableTunnels.nix
diff options
context:
space:
mode:
authortilpner2020-06-15 09:53:06 +0200
committertilpner2020-06-15 09:53:06 +0200
commit367b0c114f38d5c332f5ee971ad13dd69e302dec (patch)
treeec0c5ee3e7e1f0a30517599e51bd0c8172635158 /profiles/disableTunnels.nix
parent2992d92e6ce0d7c96ccded0747d8815d8cfed956 (diff)
downloadfirefox-profiles-367b0c114f38d5c332f5ee971ad13dd69e302dec.tar.gz
firefox-profiles-367b0c114f38d5c332f5ee971ad13dd69e302dec.tar.xz
firefox-profiles-367b0c114f38d5c332f5ee971ad13dd69e302dec.zip
WIP towards module based configuration
Diffstat (limited to 'profiles/disableTunnels.nix')
-rw-r--r--profiles/disableTunnels.nix27
1 files changed, 27 insertions, 0 deletions
diff --git a/profiles/disableTunnels.nix b/profiles/disableTunnels.nix
new file mode 100644
index 0000000..bf15485
--- /dev/null
+++ b/profiles/disableTunnels.nix
@@ -0,0 +1,27 @@
+{ config, lib, ... }: with lib; {
+ options.features.disableTunnels = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Take reasonable precautions against the use of a proxy, or an encrypted DNS tunnel.
+
+ This can make sense if we do DNS-level filtering, and the user does not have full control
+ over the device they're using.
+
+ If a motivated user has local write and execution privileges, it is unlikely that we can prevent
+ them from circumventing these restrictions.
+ '';
+ };
+
+ config.policies = mkIf config.features.disableTunnels {
+ DNSOverHTTPS = {
+ Enabled = false;
+ Locked = true;
+ };
+
+ Proxy = {
+ Mode = "none";
+ Locked = true;
+ };
+ };
+}