nixos-blueprint/modules/shared/nixos/security/default.nix

{
  config,
  lib,
  pkgs,
  ...
}: let
  inherit (lib) mkIf mkDefault;
  systemd-services-hardened = fetchGit {
    url = "https://github.com/wallago/nix-system-services-hardened.git";
    ref = "main";
    rev = "3c6c8738868277aa145e0f17c645172b1c9d81e3";
  };
  fromHardened = a: map (f: "${systemd-services-hardened}/services/${f}.nix") a;
in {
  imports =
    [./boot.nix ./ssh.nix]
    ++ fromHardened [
      "accounts-daemon"
      "getty"
      # "nix-daemon" # TODO: breaks cgroups, ...
      "nscd"
      "rescue"
      "sshd"
      "systemd-machined"
      "systemd-rfkill"
      "systemd-udevd"
    ];
  networking.modemmanager.enable = false;
  security =
    lib.attrsets.recursiveUpdate {
      # doas.enable = true;
      polkit.enable = true;
      sudo-rs.enable = false;
      sudo.enable = false;
    } {
      sudo-rs.execWheelOnly = true;
      pam.loginLimits = [
        {
          domain = "*"; # Applies to all users/sessions
          type = "-"; # Set both soft and hard limits
          item = "core"; # The soft/hard limit item
          value = "0"; # Core dumps size is limited to 0 (effectively disabled)
        }
      ];
      # pam.sshAgentAuth.enable = true;
      polkit.extraConfig = ''
        polkit.addRule(function(action, subject) {
          if (
            subject.isInGroup("users")
              && (
                action.id == "org.freedesktop.login1.reboot" ||
                action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
                action.id == "org.freedesktop.login1.power-off" ||
                action.id == "org.freedesktop.login1.power-off-multiple-sessions"
              )
            )
          {
            return polkit.Result.YES;
          }
        });
      '';
    };

  environment.systemPackages = with pkgs; [
    (mkIf config.security.doas.enable doas-sudo-shim) # if doas install doas sudo shim
  ];
  systemd.coredump.enable = false;
  services = {
    chrony = {
      enable = true;
      enableNTS = true;
      servers = [
        "time.cloudflare.com iburst nts"
        "ntppool1.time.nl iburst nts"
        "nts.netnod.se iburst nts"
        "ptbtime1.ptb.de iburst nts"
        "time.dfm.dk iburst nts"
        "time.cifelli.xyz iburst nts"
      ];
    };
    dbus.implementation = "broker";
  };

  nix.settings.allowed-users = mkDefault ["@users"];
}