From 9e60a30afa8aef1fd2258a0217b02cdb3bd123a5 Mon Sep 17 00:00:00 2001
From: tilpner
Date: Sun, 5 Apr 2020 22:03:29 +0200
Subject: no{Clutter,Pocket,Studies,Tunnels,Updates}: document

---
 profiles/noTunnels.nix | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'profiles/noTunnels.nix')

diff --git a/profiles/noTunnels.nix b/profiles/noTunnels.nix
index f8f5154..292b034 100644
--- a/profiles/noTunnels.nix
+++ b/profiles/noTunnels.nix
@@ -1,4 +1,14 @@
 { }: {
+  meta.description = ''
+    Take reasonable precautions against the use of a proxy, or an encrypted DNS tunnel.
+
+    This can make sense if we do DNS-level filtering, and the user does not have full control
+    over the device they're using.
+
+    If a motivated user has local write and execution privileges, it is unlikely that we can prevent
+    them from circumventing these restrictions.
+  '';
+
   policies = {
     DNSOverHTTPS = {
       Enabled = false;
-- 
cgit v1.2.3