diff options
author | tilpner | 2020-06-15 09:53:06 +0200 |
---|---|---|
committer | tilpner | 2020-06-15 09:53:06 +0200 |
commit | 367b0c114f38d5c332f5ee971ad13dd69e302dec (patch) | |
tree | ec0c5ee3e7e1f0a30517599e51bd0c8172635158 /profiles/disableTunnels.nix | |
parent | 2992d92e6ce0d7c96ccded0747d8815d8cfed956 (diff) | |
download | firefox-profiles-367b0c114f38d5c332f5ee971ad13dd69e302dec.tar.gz firefox-profiles-367b0c114f38d5c332f5ee971ad13dd69e302dec.tar.xz firefox-profiles-367b0c114f38d5c332f5ee971ad13dd69e302dec.zip |
WIP towards module based configuration
Diffstat (limited to 'profiles/disableTunnels.nix')
-rw-r--r-- | profiles/disableTunnels.nix | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/profiles/disableTunnels.nix b/profiles/disableTunnels.nix new file mode 100644 index 0000000..bf15485 --- /dev/null +++ b/profiles/disableTunnels.nix @@ -0,0 +1,27 @@ +{ config, lib, ... }: with lib; { + options.features.disableTunnels = mkOption { + type = types.bool; + default = false; + description = '' + Take reasonable precautions against the use of a proxy, or an encrypted DNS tunnel. + + This can make sense if we do DNS-level filtering, and the user does not have full control + over the device they're using. + + If a motivated user has local write and execution privileges, it is unlikely that we can prevent + them from circumventing these restrictions. + ''; + }; + + config.policies = mkIf config.features.disableTunnels { + DNSOverHTTPS = { + Enabled = false; + Locked = true; + }; + + Proxy = { + Mode = "none"; + Locked = true; + }; + }; +} |