modules/shared/nixos/security/default.nix

@@ -6,6 +6,7 @@
 }: let
   inherit (lib) mkIf mkDefault;
 in {
+  imports = [./nix-mineral];
   security = {
     sudo.enable = false;
     # doas.enable = true;
@@ -33,7 +34,7 @@ in {
       '';
     };
     apparmor.enable = mkDefault true;
-    pam.sshAgentAuth.enable = true;
+    # pam.sshAgentAuth.enable = true;
   };
 
   environment.systemPackages = with pkgs; [
@@ -45,7 +46,7 @@ in {
       implementation = "broker";
     };
     ntpd-rs = {
-      enable = true;
+      enable = false;
       #settings = {
       #  server = {
       #    require-nts = true;

modules/shared/nixos/security/nix-mineral/default.nix

@@ -0,0 +1,3 @@
+{
+  imports = [./nix-mineral.nix ./nm-overrides.nix];
+}

modules/shared/nixos/security/nix-mineral/nm-overrides.nix

@@ -0,0 +1,228 @@
+# This file is part of nix-mineral (https://github.com/cynicsketch/nix-mineral/).
+# Copyright (c) 2025 cynicsketch
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+# This is the overrides file for nix-mineral, containing a non-comprehensive
+# list of options that one may wish to override for any number of reasons.
+#
+# The goal is primarily to provide a premade template for users to make
+# nix-mineral work with any system and use case.
+({
+  config,
+  lib,
+  pkgs,
+  ...
+}: (with lib; {
+  ## Compatibility
+  # Options to ensure compatibility with certain usecases and hardware, at the
+  # expense of overall security.
+
+  # Set boot parameter "module.sig_enforce=0" to allow loading unsigned kernel
+  # modules, which may include certain drivers. Lockdown must also be disabled,
+  # see option below this one.
+  # nm-overrides.compatibility.allow-unsigned-modules.enable = true;
+
+  # Disable Linux Kernel Lockdown to *permit* loading unsigned kernel modules
+  # and hibernation.
+  # nm-overrides.compatibility.no-lockdown.enable = true;
+
+  # Enable binfmt_misc. This is required for Roseta to function.
+  # nm-overrides.compatibility.binfmt-misc.enable = true;
+
+  # Reenable the busmaster bit at boot. This may help with low resource systems
+  # that are prevented from booting by the defaults of nix-mineral.
+  # nm-overrides.compatibility.busmaster-bit.enable = true;
+
+  # Reenable io_uring, which is the cause of many vulnerabilities. This may
+  # be desired for specific environments concerning Proxmox.
+  # nm-overrides.compatibility.io-uring.enable = true;
+
+  # Enable ip forwarding. Useful for certain VM networking and is required if
+  # the system is meant to function as a router.
+  # nm-overrides.compatibility.ip-forward.enable = true;
+
+  ## Desktop
+  # Options that are useful to desktop experience and general convenience. Some
+  # of these may also be to specific server environments, too. Most of these
+  # options reduce security to a certain degree.
+
+  # Reenable multilib, may be useful to playing certain games.
+  nm-overrides.desktop.allow-multilib.enable = true;
+
+  # Reenable unprivileged userns. Although userns is the target of many
+  # exploits, it also used in the Chromium sandbox, unprivileged containers,
+  # and bubblewrap among many other applications.
+  nm-overrides.desktop.allow-unprivileged-userns.enable = true;
+
+  # Enable doas-sudo wrapper, useful for scripts that use "sudo." Installs
+  # nano for rnano as a "safe" method of editing text as root.
+  # Use this when replacing sudo with doas, see "Software Choice."
+  # sudo = doas
+  # doasedit/sudoedit = doas rnano
+  # nm-overrides.desktop.doas-sudo-wrapper.enable = true;
+
+  # Allow executing binaries in /home. Highly relevant for games and other
+  # programs executing in the /home folder.
+  nm-overrides.desktop.home-exec.enable = true;
+
+  # Allow executing binaries in /tmp. Certain applications may need to execute
+  # in /tmp, Java being one example.
+  nm-overrides.desktop.tmp-exec.enable = true;
+
+  # Allow executing binaries in /var/lib. LXC, and system-wide Flatpaks are
+  # among some examples of applications that requiring executing in /var/lib.
+  # nm-overrides.desktop.var-lib-exec.enable = true;
+
+  # Allow all users to use nix, rather than just users of the "wheel" group.
+  # May be useful for allowing a non-wheel user to, for example, use devshell.
+  # nm-overrides.desktop.nix-allow-all-users.enable = true;
+
+  # Automatically allow all connected devices at boot in USBGuard. Note that
+  # for laptop users, inbuilt speakers and bluetooth cards may be disabled
+  # by USBGuard by default, so whitelisting them manually or enabling this
+  # option may solve that.
+  # nm-overrides.desktop.usbguard-allow-at-boot.enable = true;
+
+  # Enable USBGuard dbus daemon and add polkit rules to integrate USBGuard with
+  # GNOME Shell. If you use GNOME, this means that USBGuard automatically
+  # allows all newly connected devices while unlocked, and blacklists all
+  # newly connected devices while locked. This is obviously very convenient,
+  # and is similar behavior to handling USB as ChromeOS and GrapheneOS.
+  # nm-overrides.usbguard-gnome-integration.enable = true;
+
+  # Completely disable USBGuard to avoid hassle with handling USB devices at
+  # all.
+  nm-overrides.desktop.usbguard-disable.enable = true;
+
+  # Rather than disable ptrace entirely, restrict ptrace so that parent
+  # processes can ptrace descendants. May allow certain Linux game anticheats
+  # to function.
+  nm-overrides.desktop.yama-relaxed.enable = true;
+
+  # Allow processes that can ptrace a process to read its process information.
+  # Requires ptrace to even be allowed in the first place, see above option.
+  # Note: While nix-mineral has made provisions to unbreak systemd, it is
+  # not supported by upstream, and breakage may still occur:
+  # https://github.com/systemd/systemd/issues/12955
+  # nm-overrides.desktop.hideproc-relaxed.enable = true;
+
+  ## Performance
+  # Options to revert some performance taxing tweaks by nix-mineral, at the cost
+  # of security. In general, it's recommended not to use these unless your system
+  # is otherwise unusable without tweaking these.
+
+  # Allow symmetric multithreading and just use default CPU mitigations, to
+  # potentially improve performance.
+  nm-overrides.performance.allow-smt.enable = true;
+
+  # Disable all CPU mitigations. Do not use with the above option. May improve
+  # performance further, but is even more dangerous!
+  # nm-overrides.performance.no-mitigations.enable = true;
+
+  # Enable bypassing the IOMMU for direct memory access. Could increase I/O
+  # performance on ARM64 systems, with risk. See URL: https://wiki.ubuntu.com/ARM64/performance
+  # nm-overrides.performance.iommu-passthrough.enable = true;
+
+  # Page table isolation mitigates some KASLR bypasses and the Meltdown CPU
+  # vulnerability. It may also tax performance, so this option disables it.
+  # nm-overrides.perforamcne.no-pti.enable = true;
+
+  ## Security
+  # Other security related options that were not enabled by default for one
+  # reason or another.
+
+  # Lock the root account. Requires another method of privilege escalation, i.e
+  # sudo or doas, and declarative accounts to work properly.
+  nm-overrides.security.lock-root.enable = true;
+
+  # Reduce swappiness to bare minimum. May reduce risk of writing sensitive
+  # information to disk, but hampers zram performance. Also useless if you do
+  # not even use a swap file/partition, i.e zram only setup.
+  # nm-overrides.security.minimum-swappiness.enable = true;
+
+  # Enable SAK (Secure Attention Key). SAK prevents keylogging, if used
+  # correctly. See URL: https://madaidans-insecurities.github.io/guides/linux-hardening.html#accessing-root-securely
+  # nm-overrides.security.sysrq-sak.enable = true;
+
+  # Privacy/security split.
+  # This option disables TCP timestamps. By default, nix-mineral enables
+  # tcp-timestamps. Disabling prevents leaking system time, enabling protects
+  # against wrapped sequence numbers and improves performance.
+  #
+  # Read more about the issue here:
+  # URL: (In favor of disabling): https://madaidans-insecurities.github.io/guides/linux-hardening.html#tcp-timestamps
+  # URL: (In favor of enabling): https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
+  # nm-overrides.security.tcp-timestamp-disable.enable = true;
+
+  # Disable loading kernel modules (except those loaded at boot via kernel
+  # commandline)
+  # Very likely to cause breakage unless you can compile a list of every module
+  # you need and add that to your boot parameters manually.
+  # nm-overrides.security.disable-modules.enable = true;
+
+  # Disable TCP window scaling. May help mitigate TCP reset DoS attacks, but
+  # may also harm network performance when at high latencies.
+  # nm-overrides.security.disable-tcp-window-scaling.enable = true;
+
+  # Disable bluetooth entirely. nix-mineral borrows a privacy preserving
+  # bluetooth configuration file by default, but if you never use bluetooth
+  # at all, this can reduce attack surface further.
+  # nm-overrides.security.disable-bluetooth.enable = true;
+
+  # Disable Intel ME related kernel modules. This is to avoid putting trust in
+  # the highly privilege ME system, but there are potentially other
+  # consequences.
+  #
+  # If you use an AMD system, you can enable this without negative consequence
+  # and reduce attack surface.
+  #
+  # Intel users should read more about the issue at the below links:
+  # https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
+  # https://en.wikipedia.org/wiki/Intel_Management_Engine#Security_vulnerabilities
+  # https://www.kicksecure.com/wiki/Out-of-band_Management_Technology#Intel_ME_Disabling_Disadvantages
+  # https://github.com/Kicksecure/security-misc/pull/236#issuecomment-2229092813
+  # https://github.com/Kicksecure/security-misc/issues/239
+  #
+  # nm-overrides.security.disable-intelme-kmodules.enable = true;
+
+  # DO NOT USE THIS OPTION ON ANY PRODUCTION SYSTEM! FOR TESTING PURPOSES ONLY!
+  # Use hardened-malloc as default memory allocator for all processes.
+  # nm-overrides.security.hardened-malloc.enable = true;
+
+  ## Software Choice
+  # Options to add (or remove) opinionated software replacements by nix-mineral.
+
+  # Replace sudo with doas. doas has a lower attack surface, but is less
+  # audited.
+  # nm-overrides.software-choice.doas-no-sudo.enable = true;
+
+  # Replace systemd-timesyncd with chrony, for NTS support and its seccomp
+  # filter.
+  nm-overrides.software-choice.secure-chrony.enable = true;
+
+  # Use Linux Kernel with hardened patchset. Concurs a multitude of security
+  # benefits, but prevents hibernation.*
+  #
+  # (No longer recommended as of July 25, 2024. The patchset being behind by
+  # about a week or so is one thing, but the package as included in nixpkgs is
+  # way too infrequently updated, being several weeks or even months behind.
+  # Therefore, it is recommended to choose an LTS kernel like 5.15, 6.1, or 6.6
+  # in your own system configuration.*)
+  #
+  # nm-overrides.software-choice.hardened-kernel.enable = true;
+
+  # Dont use the nix-mineral default firewall, if you wish to use alternate
+  # applications for the same purpose.
+  # nm-overrides.software-choice.no-firewall.enable = true;
+}))

modules/shared/nixos/security/nix-mineral/sources.toml

@@ -0,0 +1,57 @@
+# This file is part of nix-mineral (https://github.com/cynicsketch/nix-mineral/).
+# Copyright (c) 2025 cynicsketch
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+
+
+[issue]
+user = "Kicksecure"
+repo = "security-misc"
+rev = "de6f3ea74a5a1408e4351c955ecb7010825364c5"
+file = "usr/lib/issue.d/20_security-misc.issue"
+sha256 = "00ilswn1661h8rwfrq4w3j945nr7dqd1g519d3ckfkm0dr49f26b"
+modified = "2024/08/02"
+
+[gitconfig]
+user = "Kicksecure"
+repo = "security-misc"
+rev = "de6f3ea74a5a1408e4351c955ecb7010825364c5"
+file = "etc/gitconfig"
+sha256 = "1p3adrbmv7fvy84v3i3m3xrzbc2zdrxzn6prac8f6418vwrdmyp7"
+modified = "2024/08/02"
+
+[bluetooth]
+user = "Kicksecure"
+repo = "security-misc"
+rev = "de6f3ea74a5a1408e4351c955ecb7010825364c5"
+file = "etc/bluetooth/30_security-misc.conf"
+sha256 = "0xyvvgmm0dhf0dfhfj4hdbyf2ma30bpd1m5zx6xnjdfvy2fr44na"
+modified = "2024/08/02"
+
+[module-blacklist]
+user = "Kicksecure"
+repo = "security-misc"
+rev = "de6f3ea74a5a1408e4351c955ecb7010825364c5"
+file = "etc/modprobe.d/30_security-misc_disable.conf"
+sha256 = "1mab9cnnwpc4a0x1f5n45yn4yhhdy1affdmmimmslg8rcw65ajh2"
+modified = "2024/08/02"
+
+[chrony]
+user = "GrapheneOS"
+repo = "infrastructure"
+rev = "1f4d7316b8bd42476fc8e98224f67ce8d150527d"
+file = "etc/chrony.conf"
+sha256 = "sha256:0cfd5dwimiv4sadmknnc4l4zm7y49bmdnjdk7wc8wvnhfri3mick"
+modified = "2025/04/16"