1769288238

modules/nixos/shared/security/services.nix

@@ -0,0 +1,29 @@
+{
+  # config,
+  lib,
+  # pkgs,
+  ...
+}: let
+  systemd-services-hardened = fetchGit {
+    url = "https://github.com/wallago/nix-system-services-hardened.git";
+    ref = "main";
+    rev = "3c6c8738868277aa145e0f17c645172b1c9d81e3";
+  };
+  fromHardened = a: map (f: "${systemd-services-hardened}/services/${f}.nix") a;
+in {
+  imports = fromHardened [
+    "accounts-daemon"
+    "getty"
+    # "nix-daemon" # TODO: breaks cgroups, ...
+    "nscd"
+    "rescue"
+    "sshd"
+    "systemd-machined"
+    "systemd-rfkill"
+    "systemd-udevd"
+  ];
+  systemd.services = {
+    nix-daemon.serviceConfig.RestrictNamespaces = lib.mkForce [];
+    sshd.serviceConfig.ProtectHome = lib.mkForce "no";
+  };
+}