unexplrd/nixos-blueprint
2
2
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2e6e28ef325d3f0ddc6a6d9257717039baa5d8f1
nixos-blueprint/hosts/sarien/system/security/basic.nix
unexplrd 2e6e28ef32 initial
2025-02-06 00:33:06 +02:00

91 lines
1.9 KiB
Nix
Raw Blame History

{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.security.basic;
in {
options = {
security.basic.enable =
lib.mkEnableOption "enable basic security";
};
config = lib.mkIf cfg.enable {
security = {
sudo.enable = false;
# doas.enable = true;
sudo-rs = {
enable = true;
execWheelOnly = true;
};
polkit.enable = true;
polkit.extraConfig = ''
polkit.addRule(function(action, subject) {
if (
subject.isInGroup("users")
&& (
action.id == "org.freedesktop.login1.reboot" ||
action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
action.id == "org.freedesktop.login1.power-off" ||
action.id == "org.freedesktop.login1.power-off-multiple-sessions"
)
)
{
return polkit.Result.YES;
}
});
'';
apparmor.enable = lib.mkDefault true;
};
environment.systemPackages = with pkgs; [
(mkIf (config.security.doas.enable == true) doas-sudo-shim) # if doas install doas sudo shim
];
services.dbus = {
apparmor = "enabled";
implementation = "broker";
};
services.ntpd-rs = {
enable = true;
#settings = {
# server = {
# require-nts = true;
# };
#};
};
boot.blacklistedKernelModules = [
# Obscure network protocols
"ax25"
"netrom"
"rose"
# Old or rare or insufficiently audited filesystems
"adfs"
"affs"
"bfs"
"befs"
"cramfs"
"efs"
"erofs"
"exofs"
"freevxfs"
"f2fs"
"hfs"
"hpfs"
"jfs"
"minix"
"nilfs2"
"ntfs"
"omfs"
"qnx4"
"qnx6"
"sysv"
"ufs"
];
nix.settings.allowed-users = lib.mkDefault ["@users"];
};
}
Reference in New Issue View Git Blame Copy Permalink