blob: bf1548556278b95491c48a79c9f0d749970a95a6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
{ config, lib, ... }: with lib; {
options.features.disableTunnels = mkOption {
type = types.bool;
default = false;
description = ''
Take reasonable precautions against the use of a proxy, or an encrypted DNS tunnel.
This can make sense if we do DNS-level filtering, and the user does not have full control
over the device they're using.
If a motivated user has local write and execution privileges, it is unlikely that we can prevent
them from circumventing these restrictions.
'';
};
config.policies = mkIf config.features.disableTunnels {
DNSOverHTTPS = {
Enabled = false;
Locked = true;
};
Proxy = {
Mode = "none";
Locked = true;
};
};
}
|