Initial Commit

[MarigoldOS/.git] / specialisations / hardened.nix

{ pkgs,
  lib,
  config,
  ... }:
{
  specialisation.hardened.configuration = {
    imports = [
      # This includes a hardened kernel, and limiting the system information available to processes through the /sys and /proc filesystems. It also disables the User Namespaces feature of the kernel, which stops Nix from being able to build anything (this particular setting can be overriden via security.allowUserNamespaces). See the profile source for further detail on which settings are altered.
      <nixpkgs/nixos/modules/profiles/hardened.nix>
      # Manual section: https://nixos.org/manual/nixos/stable/index.html#sec-profile-hardened
      # profile source: https://github.com/nixos/nixpkgs/tree/master/nixos/modules/profiles/hardened.nix
    ];

    # system.nixos.label = "marigoldOS-${config.system.nixos.release}-hardened";
    # system.nixos.tags = [ "hardened" ];

    networking.firewall.allowPing = false;

    # doas instead of sudo
    security.sudo.enable = false;
    security.doas = {
      enable = true;
      extraRules = [{
        groups = ["wheel"];
        persist = false;
        noPass = false;
        keepEnv = true;
      }];
    };
    # alias
    environment.shellAliases = { sudo = "doas "; };

    # Once this is in a spot where it looks good, move this to the main profile
    # security.auditd.enable = true;
    # security.audit.enable = true;
    # TODO actually make the rules, lel.
    # https://security.blogoverflow.com/2013/01/a-brief-introduction-to-auditd/
    # https://security.blogoverflow.com/2013/09/stump-the-chump-with-auditd-01/

    # TODO investigate this
    # security.allowUserNamespaces

    # TODO Investigate this
    # boot.kernel.randstructSeed = "Change this. Also does hiding this from version control provide any (meaningful) security advantages? Maybe from a targeted attack, but enough to matter?";

    # TODO Read then rip off archbros
    # https://wiki.archlinux.org/title/Security
  };
}