1769288238

modules/nixos/shared/security/default.nix

@@ -0,0 +1,75 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  inherit (lib) mkIf;
+in {
+  imports = [
+    ./boot.nix
+    ./coredump.nix
+    ./services.nix
+    ./ssh.nix
+  ];
+
+  networking.modemmanager.enable = false;
+
+  nix.settings.allowed-users = ["@users"];
+  nix.settings.trusted-users = ["@wheel"];
+
+  environment.systemPackages = with pkgs; [
+    (mkIf config.security.doas.enable doas-sudo-shim)
+  ];
+
+  security =
+    lib.attrsets.recursiveUpdate {
+      # doas.enable = true;
+      polkit.enable = true;
+      sudo-rs.enable = false;
+      sudo.enable = false;
+
+      wrappers = {
+        newgrp.enable = false;
+        pkexec.enable = false;
+        sg.enable = false;
+        su.enable = false;
+      };
+    } {
+      sudo-rs.execWheelOnly = true;
+      # pam.sshAgentAuth.enable = true;
+      polkit.extraConfig = ''
+        polkit.addRule(function(action, subject) {
+          if (
+            subject.isInGroup("users")
+              && (
+                action.id == "org.freedesktop.login1.reboot" ||
+                action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
+                action.id == "org.freedesktop.login1.power-off" ||
+                action.id == "org.freedesktop.login1.power-off-multiple-sessions"
+              )
+            )
+          {
+            return polkit.Result.YES;
+          }
+        });
+      '';
+    };
+
+  services.dbus.implementation = "broker";
+  services.chrony = {
+    enable = true;
+    enableRTCTrimming = false;
+    enableNTS = true;
+    extraConfig = "rtcsync";
+    extraFlags = ["-r" "-s"];
+    servers = [
+      "time.cloudflare.com iburst nts"
+      "ntppool1.time.nl iburst nts"
+      "nts.netnod.se iburst nts"
+      "ptbtime1.ptb.de iburst nts"
+      "time.dfm.dk iburst nts"
+      "time.cifelli.xyz iburst nts"
+    ];
+  };
+}