From 367b0c114f38d5c332f5ee971ad13dd69e302dec Mon Sep 17 00:00:00 2001
From: tilpner
Date: Mon, 15 Jun 2020 09:53:06 +0200
Subject: WIP towards module based configuration

---
 profiles/disableTunnels.nix | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 profiles/disableTunnels.nix

(limited to 'profiles/disableTunnels.nix')

diff --git a/profiles/disableTunnels.nix b/profiles/disableTunnels.nix
new file mode 100644
index 0000000..bf15485
--- /dev/null
+++ b/profiles/disableTunnels.nix
@@ -0,0 +1,27 @@
+{ config, lib, ... }: with lib; {
+  options.features.disableTunnels = mkOption {
+    type = types.bool;
+    default = false;
+    description = ''
+      Take reasonable precautions against the use of a proxy, or an encrypted DNS tunnel.
+
+      This can make sense if we do DNS-level filtering, and the user does not have full control
+      over the device they're using.
+
+      If a motivated user has local write and execution privileges, it is unlikely that we can prevent
+      them from circumventing these restrictions.
+    '';
+  };
+
+  config.policies = mkIf config.features.disableTunnels {
+    DNSOverHTTPS = {
+      Enabled = false;
+      Locked = true;
+    };
+
+    Proxy = {
+      Mode = "none";
+      Locked = true;
+    };
+  };
+}
-- 
cgit v1.2.3