diff --git a/modules/shared/nixos/security/default.nix b/modules/shared/nixos/security/default.nix
index 9dfd561..7b579ea 100644
--- a/modules/shared/nixos/security/default.nix
+++ b/modules/shared/nixos/security/default.nix
@@ -6,6 +6,7 @@
}: let
inherit (lib) mkIf mkDefault;
in {
+ imports = [./nix-mineral];
security = {
sudo.enable = false;
# doas.enable = true;
@@ -33,7 +34,7 @@ in {
'';
};
apparmor.enable = mkDefault true;
- pam.sshAgentAuth.enable = true;
+ # pam.sshAgentAuth.enable = true;
};
environment.systemPackages = with pkgs; [
@@ -45,7 +46,7 @@ in {
implementation = "broker";
};
ntpd-rs = {
- enable = true;
+ enable = false;
#settings = {
# server = {
# require-nts = true;
diff --git a/modules/shared/nixos/security/nix-mineral/default.nix b/modules/shared/nixos/security/nix-mineral/default.nix
new file mode 100644
index 0000000..fef44a8
--- /dev/null
+++ b/modules/shared/nixos/security/nix-mineral/default.nix
@@ -0,0 +1,3 @@
+{
+ imports = [./nix-mineral.nix ./nm-overrides.nix];
+}
diff --git a/modules/shared/nixos/security/nix-mineral/nix-mineral.nix b/modules/shared/nixos/security/nix-mineral/nix-mineral.nix
new file mode 100644
index 0000000..f629604
--- /dev/null
+++ b/modules/shared/nixos/security/nix-mineral/nix-mineral.nix
@@ -0,0 +1,1135 @@
+# This file is part of nix-mineral (https://github.com/cynicsketch/nix-mineral/).
+# Copyright (c) 2025 cynicsketch
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+# This is the main module for nix-mineral, containing the default configuration.
+### CREDITS ###
+# Please, see the README and give your thanks and support to the people and projects
+# which have helped this project's development!
+# sysctl omitted from K4YT3X config that are out of scope of nix-mineral and
+# hardening but may be useful anyways to some, see their repo for details:
+# kernel.core_uses_pid = 1
+# kernel.pid_max = 4194304
+# kernel.panic = 10
+# fs.file-max = 9223372036854775807
+# fs.inotify.max_user_watches = 524288
+# net.core.netdev_max_backlog = 250000
+# net.core.rmem_default = 8388608
+# net.core.wmem_default = 8388608
+# net.core.rmem_max = 536870912
+# net.core.wmem_max = 536870912
+# net.core.optmem_max = 40960
+# net.ipv4.tcp_congestion_control = bbr
+# net.ipv4.tcp_synack_retries = 5
+# net.ipv4.ip_local_port_range = 1024 65535
+# net.ipv4.tcp_slow_start_after_idle = 0
+# net.ipv4.tcp_mtu_probing = 1
+# net.ipv4.tcp_base_mss = 1024
+# net.ipv4.tcp_rmem = 8192 262144 536870912
+# net.ipv4.tcp_wmem = 4096 16384 536870912
+# net.ipv4.tcp_adv_win_scale = -2
+# net.ipv4.tcp_notsent_lowat = 131072
+# Sections from madaidan's guide that are IRRELEVANT/NON-APPLICABLE:
+# 1. (Advice)
+# 2.1 (Advice)
+# 2.3.3 (Advice)
+# 2.5.1 (Advice)
+# 2.5.3 (Advice)
+# 2.6 (Advice)
+# 2.10 (Package is broken)
+# 7 (Advice)
+# 10.5.4 (The problem of NTP being unencrypted is fixed by using NTS instead.
+# Note that this means using chrony, as in "Software Choice" in the overrides,
+# which is not default behavior!)
+# 11 (Partially, there seems to be no way to edit the permissions of /boot
+# whether with mount options or through tmpfiles)
+# 15 (Implemented by default)
+# 19 (Advice)
+# 20 (Not relevant)
+# 21.7 (Advice, not in threat model)
+# 22 (Advice)
+# Sections from madaidan's guide requiring manual user intervention:
+# 2.7 (systemd service hardening must be done manually)
+# 2.9 (Paid software)
+# 2.11 (Unique for all hardware, inconvenient)
+# 4 (Sandboxing must be done manually)
+# 6 (Compiling everything is inconvenient)
+# 8.6 (No option, not for all systems)
+# 8.7 (Inconvenient, depends on specific user behavior)
+# 10.1 (Up to user to determine hostname and username)
+# 10.2 (Up to user to determine timezone, locale, and keymap)
+# 10.5.3 (Not packaged)
+# 10.6 (Not packaged, inconvenient and not within threat model)
+# 11.1 (Manual removal of SUID/SGID is manual)
+# 11.2 (No known way to set umask declaratively systemwide, use your shellrc
+# or home manager to do so)
+# 14 (Rather than enforce password quality with PAM, expect user
+# to enforce their own password quality; faildelay is, however,
+# implemented here)
+# 21.1 (Out of scope)
+# 21.2 (See above)
+# 21.3 (User's job to set passwords)
+# 21.3.1 (See above)
+# 21.3.2 (See above)
+# 21.3.3 (See above)
+# 21.4 (Non-declarative setup, experimental)
+# ABOUT THE DEFAULTS:
+# The default config harms performance and usability in many ways, focusing
+# almost entirely on hardening alone.
+#
+# There are also some optional software substitutions and additions in the
+# overrides that are recommended but *not enabled* by default:
+#
+# sudo ---> doas (For reduced attack surface; although less audited)
+# systemd-timesyncd ---> chrony (For NTS support)
+# linux_hardened kernel*
+#
+# As of Decemeber 26, 2024, linux_hardened is up to date with mainline linux in
+# unstable NixOS. However, it is cautioned that users regularly check the
+# status of the linux_hardened package in NixOS, because it has been left
+# unupdated for long periods of time in the past, which would be a severe
+# security risk since an outdated kernel means the existence of many known
+# vulnerabilities in the most privileged component of the operating system.
+#
+# USBGuard is also *enabled* by default, which may inconvenience some users.
+#
+# All of this can, and should be addressed using the overrides file.
+# "nm-overrides.nix"
+{
+ config,
+ lib,
+ pkgs,
+ ...
+}: let
+ # l = lib // builtins;
+ inherit (lib) mkDefault mkForce mkIf mkMerge mkOption mkOverride types;
+ inherit (builtins) fromTOML readFile;
+
+ sources = fromTOML (readFile ./sources.toml);
+ /*
+ helper function to fetch a file from a github repository
+
+ example usage to fetch https://raw.githubusercontent.com/Kicksecure/security-misc/de6f3ea74a5a1408e4351c955ecb7010825364c5/usr/lib/issue.d/20_security-misc.issue
+
+ fetchGhFile {
+ user = "Kicksecure";
+ repo = "security-misc";
+ rev = "de6f3ea74a5a1408e4351c955ecb7010825364c5";
+ file = "usr/lib/issue.d/20_security-misc.issue";
+ sha256 = "00ilswn1661h8rwfrq4w3j945nr7dqd1g519d3ckfkm0dr49f26b";
+ }
+ */
+ fetchGhFile = {
+ user,
+ repo,
+ rev,
+ file,
+ sha256,
+ ...
+ }:
+ builtins.fetchurl {
+ url = "https://raw.githubusercontent.com/${user}/${repo}/${rev}/${file}";
+ inherit sha256;
+ };
+
+ cfg = config.nix-mineral;
+in {
+ options.nix-mineral = {
+ enable = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Enable all nix-mineral defaults.
+ '';
+ };
+ overrides = {
+ compatibility = {
+ allow-unsigned-modules = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Allow loading unsigned kernel modules.
+ '';
+ };
+ allow-busmaster-bit = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Reenable the busmaster bit at boot.
+ '';
+ };
+ allow-ip-forward = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Reenable ip forwarding.
+ '';
+ };
+ no-lockdown = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Disable Linux Kernel Lockdown.
+ '';
+ };
+ };
+ desktop = {
+ allow-multilib = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Reenable support for 32 bit applications.
+ '';
+ };
+ doas-sudo-wrapper = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Enable doas-sudo wrapper, with nano to utilize rnano as a "safe"
+ editor for editing as root.
+ '';
+ };
+ hideproc-ptraceable = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Allow processes that can ptrace a process to read its corresponding /proc
+ information.
+ '';
+ };
+ hideproc-off = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Disable access restriction on /proc.
+ Fix Gnome/Wayland.
+ '';
+ };
+ home-exec = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Allow programs to execute in /home.
+ '';
+ };
+ skip-restrict-home-permission = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Disable recursively restricting permisions of /home directories,
+ as this can takes several minutes on large home directories.
+ '';
+ };
+ nix-allow-all = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Allow all users to use nix.
+ '';
+ };
+ tmp-exec = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Allow executing programs in /tmp.
+ '';
+ };
+ usbguard-gnome-integration = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Enable USBGuard dbus daemon and polkit rules for integration with GNOME
+ Shell.
+ '';
+ };
+ var-lib-exec = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Allow executing programs in /var/lib.
+ '';
+ };
+ };
+ performance = {
+ allow-smt = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Reenable symmetric multithreading.
+ '';
+ };
+ iommu-passthrough = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Enable bypassing the IOMMU for direct memory access.
+ '';
+ };
+ no-mitigations = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Disable all CPU vulnerability mitigations.
+ '';
+ };
+ no-pti = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Disable page table isolation.
+ '';
+ };
+ };
+ security = {
+ disable-bluetooth-kmodules = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Disable bluetooth related kernel modules.
+ '';
+ };
+ disable-intelme-kmodules = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Disable Intel ME related kernel modules and partially disable ME interface.
+ '';
+ };
+ disable-amd-iommu-forced-isolation = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Do not set amd_iommu=force_isolation kernel parameter.
+ Workaround hanging issue on linux kernel 6.13.
+ '';
+ };
+ lock-root = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Lock the root user.
+ '';
+ };
+ minimize-swapping = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Reduce frequency of swapping to bare minimum.
+ '';
+ };
+ sysrq-sak = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Enable Secure Attention Key with the sysrq key.
+ '';
+ };
+ };
+ software-choice = {
+ doas-no-sudo = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Replace sudo with doas.
+ '';
+ };
+ no-firewall = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Disable default firewall as chosen by nix-mineral.
+ '';
+ };
+ secure-chrony = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Replace systemd-timesyncd with chrony for NTP, and configure chrony for NTS
+ and to use the seccomp filter for security.
+ '';
+ };
+ };
+ };
+ };
+
+ config = mkIf cfg.enable (mkMerge [
+ # Main module
+
+ {
+ boot = {
+ kernel = {
+ sysctl = {
+ # NOTE: `mkOverride 900` is used when a default value is already defined in NixOS.
+
+ # Yama restricts ptrace, which allows processes to read and modify the
+ # memory of other processes. This has obvious security implications.
+ # Default value is 1, to only allow parent processes to ptrace child
+ # processes. May be modified to restrict ptrace further.
+ # See overrides.
+ "kernel.yama.ptrace_scope" = mkDefault "1";
+
+ # Disables magic sysrq key. See overrides file regarding SAK (Secure
+ # attention key).
+ "kernel.sysrq" = mkDefault "0";
+
+ # Disable binfmt. Breaks Roseta, among other applications.
+ # See overrides file and https://en.wikipedia.org/wiki/Binfmt_misc for more info.
+ "fs.binfmt_misc.status" = mkDefault "0";
+
+ # Disable io_uring. May be desired for Proxmox, but is responsible
+ # for many vulnerabilities and is disabled on Android + ChromeOS.
+ # See overrides file.
+ "kernel.io_uring_disabled" = mkDefault "2";
+
+ # Disable ip forwarding to reduce attack surface. May be needed for
+ # VM networking. See overrides file.
+ "net.ipv4.ip_forward" = mkDefault "0";
+ "net.ipv4.conf.all.forwarding" = mkOverride 900 "0";
+ "net.ipv4.conf.default.forwarding" = mkDefault "0";
+ "net.ipv6.conf.all.forwarding" = mkDefault "0";
+ "net.ipv6.conf.default.forwarding" = mkDefault "0";
+
+ # Privacy/security split.
+ # By default, nix-mineral enables
+ # tcp-timestamps. Disabling prevents leaking system time, enabling protects
+ # against wrapped sequence numbers and improves performance.
+ #
+ # Read more about the issue here:
+ # URL: (In favor of disabling): https://madaidans-insecurities.github.io/guides/linux-hardening.html#tcp-timestamps
+ # URL: (In favor of enabling): https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
+ "net.ipv4.tcp_timestamps" = mkDefault "1";
+
+ "dev.tty.ldisc_autoload" = mkDefault "0";
+ "fs.protected_fifos" = mkDefault "2";
+ "fs.protected_hardlinks" = mkDefault "1";
+ "fs.protected_regular" = mkDefault "2";
+ "fs.protected_symlinks" = mkDefault "1";
+ "fs.suid_dumpable" = mkDefault "0";
+ "kernel.dmesg_restrict" = mkDefault "1";
+ "kernel.kexec_load_disabled" = mkOverride 900 "1";
+ "kernel.kptr_restrict" = mkOverride 900 "2";
+ "kernel.perf_event_paranoid" = mkDefault "3";
+ "kernel.printk" = mkOverride 900 "3 3 3 3";
+ "kernel.unprivileged_bpf_disabled" = mkDefault "1";
+ "net.core.bpf_jit_harden" = mkDefault "2";
+
+ # Disable ICMP redirects to prevent some MITM attacks
+ # See https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked
+ "net.ipv4.conf.all.accept_redirects" = mkOverride 900 "0";
+ "net.ipv4.conf.default.accept_redirects" = mkOverride 900 "0";
+ "net.ipv4.conf.all.send_redirects" = mkOverride 900 "0";
+ "net.ipv4.conf.default.send_redirects" = mkOverride 900 "0";
+ "net.ipv6.conf.all.accept_redirects" = mkOverride 900 "0";
+ "net.ipv6.conf.default.accept_redirects" = mkOverride 900 "0";
+
+ # Use secure ICMP redirects by default. Helpful if ICMP redirects are
+ # reenabled only.
+ "net.ipv4.conf.all.secure_redirects" = mkOverride 900 "1";
+ "net.ipv4.conf.default.secure_redirects" = mkOverride 900 "1";
+
+ "net.ipv4.conf.all.accept_source_route" = mkDefault "0";
+ "net.ipv4.conf.all.rp_filter" = mkOverride 900 "1";
+ "net.ipv4.conf.default.accept_source_route" = mkDefault "0";
+ "net.ipv4.conf.default.rp_filter" = mkOverride 900 "1";
+ "net.ipv4.icmp_echo_ignore_all" = mkDefault "1";
+ "net.ipv6.icmp_echo_ignore_all" = mkDefault "1";
+ "net.ipv4.tcp_dsack" = mkDefault "0";
+ "net.ipv4.tcp_fack" = mkDefault "0";
+ "net.ipv4.tcp_rfc1337" = mkDefault "1";
+ "net.ipv4.tcp_sack" = mkDefault "0";
+ "net.ipv4.tcp_syncookies" = mkDefault "1";
+ "net.ipv6.conf.all.accept_ra" = mkDefault "0";
+ "net.ipv6.conf.all.accept_source_route" = mkDefault "0";
+ "net.ipv6.conf.default.accept_source_route" = mkDefault "0";
+ "net.ipv6.default.accept_ra" = mkDefault "0";
+ "kernel.core_pattern" = mkDefault "|/bin/false";
+ "vm.mmap_rnd_bits" = mkDefault "32";
+ "vm.mmap_rnd_compat_bits" = mkDefault "16";
+ "vm.unprivileged_userfaultfd" = mkDefault "0";
+ "net.ipv4.icmp_ignore_bogus_error_responses" = mkDefault "1";
+
+ # enable ASLR
+ # turn on protection and randomize stack, vdso page and mmap + randomize brk base address
+ "kernel.randomize_va_space" = mkDefault "2";
+
+ # restrict perf subsystem usage (activity) further
+ "kernel.perf_cpu_time_max_percent" = mkDefault "1";
+ "kernel.perf_event_max_sample_rate" = mkDefault "1";
+
+ # do not allow mmap in lower addresses
+ "vm.mmap_min_addr" = mkDefault "65536";
+
+ # log packets with impossible addresses to kernel log
+ # No active security benefit, just makes it easier to spot a DDOS/DOS by giving
+ # extra logs
+ "net.ipv4.conf.default.log_martians" = mkOverride 900 "1";
+ "net.ipv4.conf.all.log_martians" = mkOverride 900 "1";
+
+ # disable sending and receiving of shared media redirects
+ # this setting overwrites net.ipv4.conf.all.secure_redirects
+ # refer to RFC1620
+ "net.ipv4.conf.default.shared_media" = mkDefault "0";
+ "net.ipv4.conf.all.shared_media" = mkDefault "0";
+
+ # always use the best local address for announcing local IP via ARP
+ # Seems to be most restrictive option
+ "net.ipv4.conf.default.arp_announce" = mkDefault "2";
+ "net.ipv4.conf.all.arp_announce" = mkDefault "2";
+
+ # reply only if the target IP address is local address configured on the incoming interface
+ "net.ipv4.conf.default.arp_ignore" = mkDefault "1";
+ "net.ipv4.conf.all.arp_ignore" = mkDefault "1";
+
+ # drop Gratuitous ARP frames to prevent ARP poisoning
+ # this can cause issues when ARP proxies are used in the network
+ "net.ipv4.conf.default.drop_gratuitous_arp" = mkDefault "1";
+ "net.ipv4.conf.all.drop_gratuitous_arp" = mkDefault "1";
+
+ # ignore all ICMP echo and timestamp requests sent to broadcast/multicast
+ "net.ipv4.icmp_echo_ignore_broadcasts" = mkOverride 900 "1";
+
+ # number of Router Solicitations to send until assuming no routers are present
+ "net.ipv6.conf.default.router_solicitations" = mkDefault "0";
+ "net.ipv6.conf.all.router_solicitations" = mkDefault "0";
+
+ # do not accept Router Preference from RA
+ "net.ipv6.conf.default.accept_ra_rtr_pref" = mkDefault "0";
+ "net.ipv6.conf.all.accept_ra_rtr_pref" = mkDefault "0";
+
+ # learn prefix information in router advertisement
+ "net.ipv6.conf.default.accept_ra_pinfo" = mkDefault "0";
+ "net.ipv6.conf.all.accept_ra_pinfo" = mkDefault "0";
+
+ # setting controls whether the system will accept Hop Limit settings from a router advertisement
+ "net.ipv6.conf.default.accept_ra_defrtr" = mkDefault "0";
+ "net.ipv6.conf.all.accept_ra_defrtr" = mkDefault "0";
+
+ # router advertisements can cause the system to assign a global unicast address to an interface
+ "net.ipv6.conf.default.autoconf" = mkDefault "0";
+ "net.ipv6.conf.all.autoconf" = mkDefault "0";
+
+ # number of neighbor solicitations to send out per address
+ "net.ipv6.conf.default.dad_transmits" = mkDefault "0";
+ "net.ipv6.conf.all.dad_transmits" = mkDefault "0";
+
+ # number of global unicast IPv6 addresses can be assigned to each interface
+ "net.ipv6.conf.default.max_addresses" = mkDefault "1";
+ "net.ipv6.conf.all.max_addresses" = mkDefault "1";
+
+ # enable IPv6 Privacy Extensions (RFC3041) and prefer the temporary address
+ # https://grapheneos.org/features#wifi-privacy
+ # GrapheneOS devs seem to believe it is relevant to use IPV6 privacy
+ # extensions alongside MAC randomization, so that's why we do both
+ # Commented, as this is already explicitly defined by default in NixOS
+ # "net.ipv6.conf.default.use_tempaddr" = mkForce "2";
+ # "net.ipv6.conf.all.use_tempaddr" = mkForce "2";
+
+ # ignore all ICMPv6 echo requests
+ "net.ipv6.icmp.echo_ignore_all" = mkDefault "1";
+ "net.ipv6.icmp.echo_ignore_anycast" = mkDefault "1";
+ "net.ipv6.icmp.echo_ignore_multicast" = mkDefault "1";
+ };
+ };
+
+ kernelParams =
+ [
+ # Requires all kernel modules to be signed. This prevents out-of-tree
+ # kernel modules from working unless signed. See overrides.
+ "module.sig_enforce=1"
+
+ # May break some drivers, same reason as the above. Also breaks
+ # hibernation. See overrides.
+ "lockdown=confidentiality"
+
+ # May prevent some systems from booting. See overrides.
+ "efi=disable_early_pci_dma"
+
+ # Forces DMA to go through IOMMU to mitigate some DMA attacks. See
+ # overrides.
+ "iommu.passthrough=0"
+
+ # Apply relevant CPU exploit mitigations, and disable symmetric
+ # multithreading. May harm performance. See overrides.
+ "mitigations=auto,nosmt"
+
+ # Mitigates Meltdown, some KASLR bypasses. Hurts performance. See
+ # overrides.
+ "pti=on"
+
+ # Gather more entropy on boot. Only works with the linux_hardened
+ # patchset, but does nothing if using another kernel. Slows down boot
+ # time by a bit.
+ "extra_latent_entropy"
+
+ "slab_nomerge"
+ "init_on_alloc=1"
+ "init_on_free=1"
+ "page_alloc.shuffle=1"
+ "randomize_kstack_offset=on"
+ "vsyscall=none"
+ "debugfs=off"
+ "oops=panic"
+ "quiet"
+ "loglevel=0"
+ "random.trust_cpu=off"
+ "random.trust_bootloader=off"
+ "intel_iommu=on"
+ "iommu=force"
+ "iommu.strict=1"
+ ]
+ ++ lib.optional (!cfg.overrides.security.disable-amd-iommu-forced-isolation)
+ "amd_iommu=force_isolation";
+
+ # Disable the editor in systemd-boot, the default bootloader for NixOS.
+ # This prevents access to the root shell or otherwise weakening
+ # security by tampering with boot parameters. If you use a different
+ # boatloader, this does not provide anything. You may also want to
+ # consider disabling similar functions in your choice of bootloader.
+ loader.systemd-boot.editor = mkDefault false;
+ };
+ environment.etc = {
+ # Empty /etc/securetty to prevent root login on tty.
+ securetty.text = ''
+ # /etc/securetty: list of terminals on which root is allowed to login.
+ # See securetty(5) and login(1).
+ '';
+
+ # Set machine-id to the Kicksecure machine-id, for privacy reasons.
+ # /var/lib/dbus/machine-id doesn't exist on dbus enabled NixOS systems,
+ # so we don't have to worry about that.
+ machine-id.text = ''
+ b08dfa6083e7567a1921a715000001fb
+ '';
+
+ # Borrow Kicksecure banner/issue.
+ issue.source = fetchGhFile sources.issue;
+
+ # Borrow Kicksecure gitconfig, disabling git symlinks and enabling fsck
+ # by default for better git security.
+ gitconfig.source = fetchGhFile sources.gitconfig;
+
+ # Borrow Kicksecure bluetooth configuration for better bluetooth privacy
+ # and security. Disables bluetooth automatically when not connected to
+ # any device.
+ "bluetooth/main.conf".source = mkForce (fetchGhFile sources.bluetooth);
+
+ # Borrow Kicksecure module blacklist.
+ # "install "foobar" /bin/not-existent" prevents the module from being
+ # loaded at all. "blacklist "foobar"" prevents the module from being
+ # loaded automatically at boot, but it can still be loaded afterwards.
+ "modprobe.d/nm-module-blacklist.conf".source = fetchGhFile sources.module-blacklist;
+ };
+
+ ### Filesystem hardening
+ # Based on Kicksecure/security-misc's remount-secure
+ # Kicksecure/security-misc
+ # usr/bin/remount-secure - Last updated July 31st, 2024
+ # Inapplicable:
+ # /sys (Already hardened by default in NixOS)
+ # /media, /mnt, /opt (Doesn't even exist on NixOS)
+ # /var/tmp, /var/log (Covered by toplevel hardening on /var,)
+ # Bind mounting /usr with nodev causes boot failure
+ # Bind mounting /boot/efi at all causes complete system failure
+
+ fileSystems = {
+ # noexec on /home can be very inconvenient for desktops. See overrides.
+ "/home" = {
+ device = mkDefault "/home";
+ options = [
+ "bind"
+ "nosuid"
+ "noexec"
+ "nodev"
+ ];
+ };
+
+ # You do not want to install applications here anyways.
+ "/root" = {
+ device = mkDefault "/root";
+ options = [
+ "bind"
+ "nosuid"
+ "noexec"
+ "nodev"
+ ];
+ };
+
+ # Some applications may need to be executable in /tmp. See overrides.
+ "/tmp" = {
+ device = mkDefault "/tmp";
+ options = [
+ "bind"
+ "nosuid"
+ "noexec"
+ "nodev"
+ ];
+ };
+
+ # noexec on /var(/lib) may cause breakage. See overrides.
+ "/var" = {
+ device = mkDefault "/var";
+ options = [
+ "bind"
+ "nosuid"
+ "noexec"
+ "nodev"
+ ];
+ };
+
+ "/boot" = lib.mkIf (!config.boot.isContainer) {
+ options = [
+ "nosuid"
+ "noexec"
+ "nodev"
+ ];
+ };
+
+ "/srv" = {
+ device = mkDefault "/srv";
+ options = [
+ "bind"
+ "nosuid"
+ "noexec"
+ "nodev"
+ ];
+ };
+
+ "/etc" = lib.mkIf (!config.boot.isContainer) {
+ device = mkDefault "/etc";
+ options = [
+ "bind"
+ "nosuid"
+ "nodev"
+ ];
+ };
+ };
+
+ # Harden special filesystems while maintaining NixOS defaults as outlined
+ # here:
+ # https://github.com/NixOS/nixpkgs/blob/e2dd4e18cc1c7314e24154331bae07df76eb582f/nixos/modules/tasks/filesystems.nix
+ boot.specialFileSystems = {
+ # Add noexec to /dev/shm
+ "/dev/shm" = {
+ options = [
+ "noexec"
+ ];
+ };
+
+ # Add noexec to /run
+ "/run" = {
+ options = [
+ "noexec"
+ ];
+ };
+
+ # Add noexec to /dev
+ "/dev" = {
+ options = [
+ "noexec"
+ ];
+ };
+
+ # Hide processes from other users except root, may cause breakage.
+ # See overrides, in desktop section.
+ "/proc" = {
+ device = mkDefault "proc";
+ options = [
+ "hidepid=2"
+ "gid=${toString config.users.groups.proc.gid}"
+ ];
+ };
+ };
+
+ # Add "proc" group to whitelist /proc access and allow systemd-logind to view
+ # /proc in order to unbreak it, as well as to user@ for similar reasons.
+ # See https://github.com/systemd/systemd/issues/12955, and https://github.com/Kicksecure/security-misc/issues/208
+ users.groups.proc.gid = mkDefault config.ids.gids.proc;
+ systemd.services.systemd-logind.serviceConfig.SupplementaryGroups = ["proc"];
+ systemd.services."user@".serviceConfig.SupplementaryGroups = ["proc"];
+
+ # Enables firewall. You may need to tweak your firewall rules depending on
+ # your usecase. On a desktop, this shouldn't cause problems.
+ networking = {
+ firewall = {
+ allowedTCPPorts = mkDefault [];
+ allowedUDPPorts = mkDefault [];
+ enable = mkDefault true;
+ };
+ networkmanager = {
+ ethernet.macAddress = mkDefault "random";
+ wifi = {
+ macAddress = mkDefault "random";
+ scanRandMacAddress = mkDefault true;
+ };
+ # Enable IPv6 privacy extensions in NetworkManager.
+ connectionConfig."ipv6.ip6-privacy" = mkDefault 2;
+ };
+ };
+
+ # Enabling MAC doesn't magically make your system secure. You need to set up
+ # policies yourself for it to be effective.
+ security = {
+ apparmor = {
+ enable = mkDefault true;
+ killUnconfinedConfinables = mkDefault true;
+ };
+
+ pam = {
+ loginLimits = [
+ {
+ domain = mkDefault "*";
+ item = mkDefault "core";
+ type = mkDefault "hard";
+ value = mkDefault "0";
+ }
+ ];
+ services = {
+ # Increase hashing rounds for /etc/shadow; this doesn't automatically
+ # rehash your passwords, you'll need to set passwords for your accounts
+ # again for this to work.
+ passwd.rules.password."unix".settings.rounds = mkDefault 65536;
+ # Enable PAM support for securetty, to prevent root login.
+ # https://unix.stackexchange.com/questions/670116/debian-bullseye-disable-console-tty-login-for-root
+ login.rules.auth = {
+ "nologin" = {
+ enable = mkDefault true;
+ order = mkDefault 0;
+ control = mkDefault "requisite";
+ modulePath = mkDefault "${config.security.pam.package}/lib/security/pam_nologin.so";
+ };
+ "securetty" = {
+ enable = mkDefault true;
+ order = mkDefault 1;
+ control = mkDefault "requisite";
+ modulePath = mkDefault "${config.security.pam.package}/lib/security/pam_securetty.so";
+ };
+ };
+
+ su.requireWheel = mkDefault true;
+ su-l.requireWheel = mkDefault true;
+ system-login.failDelay.delay = mkDefault "4000000";
+ };
+ };
+ };
+ services = {
+ # Disallow root login over SSH. Doesn't matter on systems without SSH.
+ openssh.settings.PermitRootLogin = mkDefault "no";
+
+ # DNS connections will fail if not using a DNS server supporting DNSSEC.
+ resolved.dnssec = mkDefault "true";
+ };
+
+ # Get extra entropy since we disabled hardware entropy sources
+ # Read more about why at the following URLs:
+ # https://github.com/smuellerDD/jitterentropy-rngd/issues/27
+ # https://blogs.oracle.com/linux/post/rngd1
+ services.jitterentropy-rngd.enable = mkDefault (!config.boot.isContainer);
+ boot.kernelModules = ["jitterentropy_rng"];
+
+ # Don't store coredumps from systemd-coredump.
+ systemd.coredump.extraConfig = ''
+ Storage=none
+ '';
+
+ # Enable IPv6 privacy extensions for systemd-networkd.
+ systemd.network.config.networkConfig.IPv6PrivacyExtensions = mkDefault "kernel";
+
+ systemd.tmpfiles.settings =
+ {
+ # Make all files in /etc/nixos owned by root, and only readable by root.
+ # /etc/nixos is not owned by root by default, and configuration files can
+ # on occasion end up also not owned by root. This can be hazardous as files
+ # that are included in the rebuild may be editable by unprivileged users,
+ # so this mitigates that.
+ "restrictetcnixos"."/etc/nixos/*".Z = {
+ mode = mkDefault "0000";
+ user = mkDefault "root";
+ group = mkDefault "root";
+ };
+ }
+ // lib.optionalAttrs (!cfg.overrides.desktop.skip-restrict-home-permission) {
+ # Restrict permissions of /home/$USER so that only the owner of the
+ # directory can access it (the user). systemd-tmpfiles also has the benefit
+ # of recursively setting permissions too, with the "Z" option as seen below.
+ "restricthome"."/home/*".Z.mode = mkDefault "~0700";
+ };
+
+ # zram allows swapping to RAM by compressing memory. This reduces the chance
+ # that sensitive data is written to disk, and eliminates it if zram is used
+ # to completely replace swap to disk. Generally *improves* storage lifespan
+ # and performance, there usually isn't a need to disable this.
+ zramSwap.enable = mkDefault true;
+
+ # Limit access to nix to users with the "wheel" group. ("sudoers")
+ nix.settings.allowed-users = mkDefault ["@wheel"];
+ }
+
+ # Compatibility
+
+ (mkIf cfg.overrides.compatibility.allow-unsigned-modules {
+ boot.kernelParams = mkOverride 100 ["module.sig_enforce=0"];
+ })
+
+ (mkIf cfg.overrides.compatibility.allow-busmaster-bit {
+ boot.kernelParams = mkOverride 100 ["efi=no_disable_early_pci_dma"];
+ })
+
+ (mkIf cfg.overrides.compatibility.allow-ip-forward {
+ boot.kernel.sysctl."net.ipv4.ip_forward" = mkForce "1";
+ boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = mkForce "1";
+ boot.kernel.sysctl."net.ipv4.conf.default.forwarding" = mkForce "1";
+ boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = mkForce "1";
+ boot.kernel.sysctl."net.ipv6.conf.default.forwarding" = mkForce "1";
+ })
+
+ (mkIf cfg.overrides.compatibility.no-lockdown {
+ boot.kernelParams = mkOverride 100 ["lockdown="];
+ })
+
+ # Desktop
+
+ (mkIf cfg.overrides.desktop.allow-multilib {
+ boot.kernelParams = mkOverride 100 ["ia32_emulation=1"];
+ })
+
+ (mkIf cfg.overrides.desktop.doas-sudo-wrapper {
+ environment.systemPackages = with pkgs; [
+ (writeScriptBin "sudo" ''exec ${l.getExe doas} "$@"'')
+ (writeScriptBin "sudoedit" ''exec ${l.getExe doas} ${l.getExe' nano "rnano"} "$@"'')
+ (writeScriptBin "doasedit" ''exec ${l.getExe doas} ${l.getExe' nano "rnano"} "$@"'')
+ ];
+ })
+
+ (mkIf cfg.overrides.desktop.hideproc-ptraceable {
+ boot.specialFileSystems."/proc" = {
+ options = mkForce [
+ "nosuid"
+ "nodev"
+ "noexec"
+ "hidepid=4"
+ "gid=${toString config.users.groups.proc.gid}"
+ ];
+ };
+ })
+
+ (mkIf cfg.overrides.desktop.hideproc-off {
+ boot.specialFileSystems."/proc" = {
+ options = mkForce [
+ "nosuid"
+ "nodev"
+ "noexec"
+ "gid=${toString config.users.groups.proc.gid}"
+ ];
+ };
+ })
+
+ (mkIf cfg.overrides.desktop.home-exec {
+ fileSystems."/home" = {
+ device = mkForce "/home";
+ options = mkForce [
+ "bind"
+ "nosuid"
+ "exec"
+ "nodev"
+ ];
+ };
+ })
+
+ (mkIf cfg.overrides.desktop.nix-allow-all {nix.settings.allowed-users = mkForce ["*"];})
+
+ (mkIf cfg.overrides.desktop.tmp-exec {
+ fileSystems."/tmp" = {
+ device = mkForce "/tmp";
+ options = mkForce [
+ "bind"
+ "nosuid"
+ "exec"
+ "nodev"
+ ];
+ };
+ })
+
+ (mkIf cfg.overrides.desktop.usbguard-gnome-integration {
+ services.usbguard.dbus.enable = mkForce true;
+ security.polkit = {
+ extraConfig = ''
+ polkit.addRule(function(action, subject) {
+ if ((action.id == "org.usbguard.Policy1.listRules" ||
+ action.id == "org.usbguard.Policy1.appendRule" ||
+ action.id == "org.usbguard.Policy1.removeRule" ||
+ action.id == "org.usbguard.Devices1.applyDevicePolicy" ||
+ action.id == "org.usbguard.Devices1.listDevices" ||
+ action.id == "org.usbguard1.getParameter" ||
+ action.id == "org.usbguard1.setParameter") &&
+ subject.active == true && subject.local == true &&
+ subject.isInGroup("wheel")) { return polkit.Result.YES; }
+ });
+ '';
+ };
+ })
+
+ (mkIf cfg.overrides.desktop.var-lib-exec {
+ fileSystems."/var/lib" = {
+ device = mkForce "/var/lib";
+ options = mkForce [
+ "bind"
+ "nosuid"
+ "exec"
+ "nodev"
+ ];
+ };
+ })
+
+ # Performance
+
+ (mkIf cfg.overrides.performance.allow-smt {
+ boot.kernelParams = mkOverride 100 ["mitigations=auto"];
+ })
+
+ (mkIf cfg.overrides.performance.iommu-passthrough {
+ boot.kernelParams = mkOverride 100 ["iommu.passthrough=1"];
+ })
+
+ (mkIf cfg.overrides.performance.no-mitigations {
+ boot.kernelParams = mkOverride 100 ["mitigations=off"];
+ })
+
+ (mkIf cfg.overrides.performance.no-pti {boot.kernelParams = mkOverride 100 ["pti=off"];})
+
+ # Security
+
+ (mkIf cfg.overrides.security.disable-bluetooth-kmodules {
+ environment.etc."modprobe.d/nm-disable-bluetooth.conf" = {
+ text = ''
+ install bluetooth /usr/bin/disabled-bluetooth-by-security-misc
+ install bluetooth_6lowpan /usr/bin/disabled-bluetooth-by-security-misc
+ install bt3c_cs /usr/bin/disabled-bluetooth-by-security-misc
+ install btbcm /usr/bin/disabled-bluetooth-by-security-misc
+ install btintel /usr/bin/disabled-bluetooth-by-security-misc
+ install btmrvl /usr/bin/disabled-bluetooth-by-security-misc
+ install btmrvl_sdio /usr/bin/disabled-bluetooth-by-security-misc
+ install btmtk /usr/bin/disabled-bluetooth-by-security-misc
+ install btmtksdio /usr/bin/disabled-bluetooth-by-security-misc
+ install btmtkuart /usr/bin/disabled-bluetooth-by-security-misc
+ install btnxpuart /usr/bin/disabled-bluetooth-by-security-misc
+ install btqca /usr/bin/disabled-bluetooth-by-security-misc
+ install btrsi /usr/bin/disabled-bluetooth-by-security-misc
+ install btrtl /usr/bin/disabled-bluetooth-by-security-misc
+ install btsdio /usr/bin/disabled-bluetooth-by-security-misc
+ install btusb /usr/bin/disabled-bluetooth-by-security-misc
+ install virtio_bt /usr/bin/disabled-bluetooth-by-security-misc
+ '';
+ };
+ })
+
+ (mkIf cfg.overrides.security.disable-intelme-kmodules {
+ environment.etc."modprobe.d/nm-disable-intelme-kmodules.conf" = {
+ text = ''
+ install mei /usr/bin/disabled-intelme-by-security-misc
+ install mei-gsc /usr/bin/disabled-intelme-by-security-misc
+ install mei_gsc_proxy /usr/bin/disabled-intelme-by-security-misc
+ install mei_hdcp /usr/bin/disabled-intelme-by-security-misc
+ install mei-me /usr/bin/disabled-intelme-by-security-misc
+ install mei_phy /usr/bin/disabled-intelme-by-security-misc
+ install mei_pxp /usr/bin/disabled-intelme-by-security-misc
+ install mei-txe /usr/bin/disabled-intelme-by-security-misc
+ install mei-vsc /usr/bin/disabled-intelme-by-security-misc
+ install mei-vsc-hw /usr/bin/disabled-intelme-by-security-misc
+ install mei_wdt /usr/bin/disabled-intelme-by-security-misc
+ install microread_mei /usr/bin/disabled-intelme-by-security-misc
+ '';
+ };
+ })
+
+ (mkIf cfg.overrides.security.lock-root {
+ users = {
+ users = {
+ root = {
+ hashedPassword = mkDefault "!";
+ };
+ };
+ };
+ })
+
+ (mkIf cfg.overrides.security.minimize-swapping {
+ boot.kernel.sysctl."vm.swappiness" = mkForce "1";
+ })
+
+ (mkIf cfg.overrides.security.sysrq-sak {boot.kernel.sysctl."kernel.sysrq" = mkForce "4";})
+
+ # Software Choice
+
+ (mkIf cfg.overrides.software-choice.doas-no-sudo {
+ security.sudo.enable = mkDefault false;
+ security.doas = {
+ enable = mkDefault true;
+ extraRules = [
+ {
+ keepEnv = mkDefault true;
+ persist = mkDefault true;
+ users = mkDefault ["user"];
+ }
+ ];
+ };
+ })
+
+ (mkIf cfg.overrides.software-choice.no-firewall {networking.firewall.enable = mkForce false;})
+
+ (mkIf cfg.overrides.software-choice.secure-chrony {
+ services.timesyncd = {
+ enable = mkDefault false;
+ };
+ services.chrony = {
+ enable = mkDefault true;
+
+ extraFlags = mkDefault [
+ "-F 1"
+ "-r"
+ ];
+ # Enable seccomp filter for chronyd (-F 1) and reload server history on
+ # restart (-r). The -r flag is added to match GrapheneOS's original
+ # chronyd configuration.
+
+ enableRTCTrimming = mkDefault false;
+ # Disable 'rtcautotrim' so that 'rtcsync' can be used instead. Either
+ # this or 'rtcsync' must be disabled to complete a successful rebuild,
+ # or an error will be thrown due to these options conflicting with
+ # eachother.
+
+ servers = mkDefault [];
+ # Since servers are declared by the fetched chrony config, set the
+ # NixOS option to [ ] to prevent the default values from interfering.
+
+ initstepslew.enabled = mkDefault false;
+ # Initstepslew "is deprecated in favour of the makestep directive"
+ # according to:
+ # https://chrony-project.org/doc/4.6/chrony.conf.html#initstepslew.
+ # The fetched chrony config already has makestep enabled, so
+ # initstepslew is disabled (it is enabled by default).
+
+ # The below config is borrowed from GrapheneOS server infrastructure.
+ # It enables NTS to secure NTP requests, among some other useful
+ # settings.
+
+ extraConfig = ''
+ ${builtins.readFile (fetchGhFile sources.chrony)}
+ leapseclist ${pkgs.tzdata}/share/zoneinfo/leap-seconds.list
+ '';
+ # Override the leapseclist path with the NixOS-compatible path to
+ # leap-seconds.list using the tzdata package. This is necessary because
+ # NixOS doesn't use standard FHS paths like /usr/share/zoneinfo.
+ };
+ })
+ ]);
+}
diff --git a/modules/shared/nixos/security/nix-mineral/nm-overrides.nix b/modules/shared/nixos/security/nix-mineral/nm-overrides.nix
new file mode 100644
index 0000000..5f7732b
--- /dev/null
+++ b/modules/shared/nixos/security/nix-mineral/nm-overrides.nix
@@ -0,0 +1,228 @@
+# This file is part of nix-mineral (https://github.com/cynicsketch/nix-mineral/).
+# Copyright (c) 2025 cynicsketch
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+# This is the overrides file for nix-mineral, containing a non-comprehensive
+# list of options that one may wish to override for any number of reasons.
+#
+# The goal is primarily to provide a premade template for users to make
+# nix-mineral work with any system and use case.
+({
+ config,
+ lib,
+ pkgs,
+ ...
+}: (with lib; {
+ ## Compatibility
+ # Options to ensure compatibility with certain usecases and hardware, at the
+ # expense of overall security.
+
+ # Set boot parameter "module.sig_enforce=0" to allow loading unsigned kernel
+ # modules, which may include certain drivers. Lockdown must also be disabled,
+ # see option below this one.
+ # nm-overrides.compatibility.allow-unsigned-modules.enable = true;
+
+ # Disable Linux Kernel Lockdown to *permit* loading unsigned kernel modules
+ # and hibernation.
+ # nm-overrides.compatibility.no-lockdown.enable = true;
+
+ # Enable binfmt_misc. This is required for Roseta to function.
+ # nm-overrides.compatibility.binfmt-misc.enable = true;
+
+ # Reenable the busmaster bit at boot. This may help with low resource systems
+ # that are prevented from booting by the defaults of nix-mineral.
+ # nm-overrides.compatibility.busmaster-bit.enable = true;
+
+ # Reenable io_uring, which is the cause of many vulnerabilities. This may
+ # be desired for specific environments concerning Proxmox.
+ # nm-overrides.compatibility.io-uring.enable = true;
+
+ # Enable ip forwarding. Useful for certain VM networking and is required if
+ # the system is meant to function as a router.
+ # nm-overrides.compatibility.ip-forward.enable = true;
+
+ ## Desktop
+ # Options that are useful to desktop experience and general convenience. Some
+ # of these may also be to specific server environments, too. Most of these
+ # options reduce security to a certain degree.
+
+ # Reenable multilib, may be useful to playing certain games.
+ nm-overrides.desktop.allow-multilib.enable = true;
+
+ # Reenable unprivileged userns. Although userns is the target of many
+ # exploits, it also used in the Chromium sandbox, unprivileged containers,
+ # and bubblewrap among many other applications.
+ nm-overrides.desktop.allow-unprivileged-userns.enable = true;
+
+ # Enable doas-sudo wrapper, useful for scripts that use "sudo." Installs
+ # nano for rnano as a "safe" method of editing text as root.
+ # Use this when replacing sudo with doas, see "Software Choice."
+ # sudo = doas
+ # doasedit/sudoedit = doas rnano
+ # nm-overrides.desktop.doas-sudo-wrapper.enable = true;
+
+ # Allow executing binaries in /home. Highly relevant for games and other
+ # programs executing in the /home folder.
+ nm-overrides.desktop.home-exec.enable = true;
+
+ # Allow executing binaries in /tmp. Certain applications may need to execute
+ # in /tmp, Java being one example.
+ nm-overrides.desktop.tmp-exec.enable = true;
+
+ # Allow executing binaries in /var/lib. LXC, and system-wide Flatpaks are
+ # among some examples of applications that requiring executing in /var/lib.
+ # nm-overrides.desktop.var-lib-exec.enable = true;
+
+ # Allow all users to use nix, rather than just users of the "wheel" group.
+ # May be useful for allowing a non-wheel user to, for example, use devshell.
+ # nm-overrides.desktop.nix-allow-all-users.enable = true;
+
+ # Automatically allow all connected devices at boot in USBGuard. Note that
+ # for laptop users, inbuilt speakers and bluetooth cards may be disabled
+ # by USBGuard by default, so whitelisting them manually or enabling this
+ # option may solve that.
+ # nm-overrides.desktop.usbguard-allow-at-boot.enable = true;
+
+ # Enable USBGuard dbus daemon and add polkit rules to integrate USBGuard with
+ # GNOME Shell. If you use GNOME, this means that USBGuard automatically
+ # allows all newly connected devices while unlocked, and blacklists all
+ # newly connected devices while locked. This is obviously very convenient,
+ # and is similar behavior to handling USB as ChromeOS and GrapheneOS.
+ # nm-overrides.usbguard-gnome-integration.enable = true;
+
+ # Completely disable USBGuard to avoid hassle with handling USB devices at
+ # all.
+ nm-overrides.desktop.usbguard-disable.enable = true;
+
+ # Rather than disable ptrace entirely, restrict ptrace so that parent
+ # processes can ptrace descendants. May allow certain Linux game anticheats
+ # to function.
+ nm-overrides.desktop.yama-relaxed.enable = true;
+
+ # Allow processes that can ptrace a process to read its process information.
+ # Requires ptrace to even be allowed in the first place, see above option.
+ # Note: While nix-mineral has made provisions to unbreak systemd, it is
+ # not supported by upstream, and breakage may still occur:
+ # https://github.com/systemd/systemd/issues/12955
+ # nm-overrides.desktop.hideproc-relaxed.enable = true;
+
+ ## Performance
+ # Options to revert some performance taxing tweaks by nix-mineral, at the cost
+ # of security. In general, it's recommended not to use these unless your system
+ # is otherwise unusable without tweaking these.
+
+ # Allow symmetric multithreading and just use default CPU mitigations, to
+ # potentially improve performance.
+ nm-overrides.performance.allow-smt.enable = true;
+
+ # Disable all CPU mitigations. Do not use with the above option. May improve
+ # performance further, but is even more dangerous!
+ # nm-overrides.performance.no-mitigations.enable = true;
+
+ # Enable bypassing the IOMMU for direct memory access. Could increase I/O
+ # performance on ARM64 systems, with risk. See URL: https://wiki.ubuntu.com/ARM64/performance
+ # nm-overrides.performance.iommu-passthrough.enable = true;
+
+ # Page table isolation mitigates some KASLR bypasses and the Meltdown CPU
+ # vulnerability. It may also tax performance, so this option disables it.
+ # nm-overrides.perforamcne.no-pti.enable = true;
+
+ ## Security
+ # Other security related options that were not enabled by default for one
+ # reason or another.
+
+ # Lock the root account. Requires another method of privilege escalation, i.e
+ # sudo or doas, and declarative accounts to work properly.
+ nm-overrides.security.lock-root.enable = true;
+
+ # Reduce swappiness to bare minimum. May reduce risk of writing sensitive
+ # information to disk, but hampers zram performance. Also useless if you do
+ # not even use a swap file/partition, i.e zram only setup.
+ # nm-overrides.security.minimum-swappiness.enable = true;
+
+ # Enable SAK (Secure Attention Key). SAK prevents keylogging, if used
+ # correctly. See URL: https://madaidans-insecurities.github.io/guides/linux-hardening.html#accessing-root-securely
+ # nm-overrides.security.sysrq-sak.enable = true;
+
+ # Privacy/security split.
+ # This option disables TCP timestamps. By default, nix-mineral enables
+ # tcp-timestamps. Disabling prevents leaking system time, enabling protects
+ # against wrapped sequence numbers and improves performance.
+ #
+ # Read more about the issue here:
+ # URL: (In favor of disabling): https://madaidans-insecurities.github.io/guides/linux-hardening.html#tcp-timestamps
+ # URL: (In favor of enabling): https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
+ # nm-overrides.security.tcp-timestamp-disable.enable = true;
+
+ # Disable loading kernel modules (except those loaded at boot via kernel
+ # commandline)
+ # Very likely to cause breakage unless you can compile a list of every module
+ # you need and add that to your boot parameters manually.
+ # nm-overrides.security.disable-modules.enable = true;
+
+ # Disable TCP window scaling. May help mitigate TCP reset DoS attacks, but
+ # may also harm network performance when at high latencies.
+ # nm-overrides.security.disable-tcp-window-scaling.enable = true;
+
+ # Disable bluetooth entirely. nix-mineral borrows a privacy preserving
+ # bluetooth configuration file by default, but if you never use bluetooth
+ # at all, this can reduce attack surface further.
+ # nm-overrides.security.disable-bluetooth.enable = true;
+
+ # Disable Intel ME related kernel modules. This is to avoid putting trust in
+ # the highly privilege ME system, but there are potentially other
+ # consequences.
+ #
+ # If you use an AMD system, you can enable this without negative consequence
+ # and reduce attack surface.
+ #
+ # Intel users should read more about the issue at the below links:
+ # https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
+ # https://en.wikipedia.org/wiki/Intel_Management_Engine#Security_vulnerabilities
+ # https://www.kicksecure.com/wiki/Out-of-band_Management_Technology#Intel_ME_Disabling_Disadvantages
+ # https://github.com/Kicksecure/security-misc/pull/236#issuecomment-2229092813
+ # https://github.com/Kicksecure/security-misc/issues/239
+ #
+ # nm-overrides.security.disable-intelme-kmodules.enable = true;
+
+ # DO NOT USE THIS OPTION ON ANY PRODUCTION SYSTEM! FOR TESTING PURPOSES ONLY!
+ # Use hardened-malloc as default memory allocator for all processes.
+ # nm-overrides.security.hardened-malloc.enable = true;
+
+ ## Software Choice
+ # Options to add (or remove) opinionated software replacements by nix-mineral.
+
+ # Replace sudo with doas. doas has a lower attack surface, but is less
+ # audited.
+ # nm-overrides.software-choice.doas-no-sudo.enable = true;
+
+ # Replace systemd-timesyncd with chrony, for NTS support and its seccomp
+ # filter.
+ nm-overrides.software-choice.secure-chrony.enable = true;
+
+ # Use Linux Kernel with hardened patchset. Concurs a multitude of security
+ # benefits, but prevents hibernation.*
+ #
+ # (No longer recommended as of July 25, 2024. The patchset being behind by
+ # about a week or so is one thing, but the package as included in nixpkgs is
+ # way too infrequently updated, being several weeks or even months behind.
+ # Therefore, it is recommended to choose an LTS kernel like 5.15, 6.1, or 6.6
+ # in your own system configuration.*)
+ #
+ # nm-overrides.software-choice.hardened-kernel.enable = true;
+
+ # Dont use the nix-mineral default firewall, if you wish to use alternate
+ # applications for the same purpose.
+ # nm-overrides.software-choice.no-firewall.enable = true;
+}))
diff --git a/modules/shared/nixos/security/nix-mineral/sources.toml b/modules/shared/nixos/security/nix-mineral/sources.toml
new file mode 100644
index 0000000..54ff6e6
--- /dev/null
+++ b/modules/shared/nixos/security/nix-mineral/sources.toml
@@ -0,0 +1,57 @@
+# This file is part of nix-mineral (https://github.com/cynicsketch/nix-mineral/).
+# Copyright (c) 2025 cynicsketch
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+
+
+[issue]
+user = "Kicksecure"
+repo = "security-misc"
+rev = "de6f3ea74a5a1408e4351c955ecb7010825364c5"
+file = "usr/lib/issue.d/20_security-misc.issue"
+sha256 = "00ilswn1661h8rwfrq4w3j945nr7dqd1g519d3ckfkm0dr49f26b"
+modified = "2024/08/02"
+
+[gitconfig]
+user = "Kicksecure"
+repo = "security-misc"
+rev = "de6f3ea74a5a1408e4351c955ecb7010825364c5"
+file = "etc/gitconfig"
+sha256 = "1p3adrbmv7fvy84v3i3m3xrzbc2zdrxzn6prac8f6418vwrdmyp7"
+modified = "2024/08/02"
+
+[bluetooth]
+user = "Kicksecure"
+repo = "security-misc"
+rev = "de6f3ea74a5a1408e4351c955ecb7010825364c5"
+file = "etc/bluetooth/30_security-misc.conf"
+sha256 = "0xyvvgmm0dhf0dfhfj4hdbyf2ma30bpd1m5zx6xnjdfvy2fr44na"
+modified = "2024/08/02"
+
+[module-blacklist]
+user = "Kicksecure"
+repo = "security-misc"
+rev = "de6f3ea74a5a1408e4351c955ecb7010825364c5"
+file = "etc/modprobe.d/30_security-misc_disable.conf"
+sha256 = "1mab9cnnwpc4a0x1f5n45yn4yhhdy1affdmmimmslg8rcw65ajh2"
+modified = "2024/08/02"
+
+[chrony]
+user = "GrapheneOS"
+repo = "infrastructure"
+rev = "1f4d7316b8bd42476fc8e98224f67ce8d150527d"
+file = "etc/chrony.conf"
+sha256 = "sha256:0cfd5dwimiv4sadmknnc4l4zm7y49bmdnjdk7wc8wvnhfri3mick"
+modified = "2025/04/16"