nixos-blueprint/modules/nixos/config/security/default.nix

{
  config,
  lib,
  pkgs,
  ...
}: let
  inherit (lib) mkIf mkDefault;
in {
  security = {
    sudo.enable = false;
    # doas.enable = true;
    sudo-rs = {
      enable = true;
      execWheelOnly = true;
    };
    polkit.enable = true;
    polkit.extraConfig = ''
      polkit.addRule(function(action, subject) {
        if (
          subject.isInGroup("users")
            && (
              action.id == "org.freedesktop.login1.reboot" ||
              action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
              action.id == "org.freedesktop.login1.power-off" ||
              action.id == "org.freedesktop.login1.power-off-multiple-sessions"
            )
          )
        {
          return polkit.Result.YES;
        }
      });
    '';
    apparmor.enable = mkDefault true;
  };

  environment.systemPackages = with pkgs; [
    (mkIf config.security.doas.enable doas-sudo-shim) # if doas install doas sudo shim
  ];

  services.dbus = {
    apparmor = "enabled";
    implementation = "broker";
  };
  services.ntpd-rs = {
    enable = true;
    #settings = {
    #  server = {
    #    require-nts = true;
    #  };
    #};
  };

  boot.kernel.sysctl = {
    "dev.tty.ldisc_autoload" = 0;
    "fs.protected_fifos" = 2;
    "fs.protected_regular" = 2;
    "fs.suid_dumpable" = 0;
    "kernel.kptr_restrict" = 2;
    # "kernel.modules_disabled" = 1;
    "kernel.sysrq" = 0;
    "kernel.unprivileged_bpf_disabled" = 1;
    "net.ipv4.conf.all.forwarding" = 0;
    "net.ipv4.conf.all.log_martians" = 1;
    "net.ipv4.conf.all.rp_filter" = 1;
    "net.ipv4.conf.all.send_redirects" = 0;
    "net.ipv4.conf.default.accept_redirects" = 0;
    "net.ipv4.conf.default.log_martians" = 1;
    "net.ipv6.conf.all.accept_redirects" = 0;
    "net.ipv6.conf.default.accept_redirects" = 0;
  };
  boot.kernelParams = [
    "amd_iommu=force_isolation"
    "debugfs=off"
    "efi=disable_early_pci_dma"
    "gather_data_sampling=force"
    "intel_iommu=on"
    "iommu.passthrough=0"
    "iommu.strict=1"
    "iommu=force"
    "page_alloc.shuffle=1"
    "vsyscall=none"
    # "ia32_emulation=0"
    # "lockdown=confidentiality"
    # "module.sig_enforce=1"
  ];

  boot.blacklistedKernelModules = [
    # Obscure network protocols
    "ax25"
    "netrom"
    "rose"
    # Old or rare or insufficiently audited filesystems
    "adfs"
    "affs"
    "bfs"
    "befs"
    "cramfs"
    "efs"
    "erofs"
    "exofs"
    "freevxfs"
    "f2fs"
    "hfs"
    "hpfs"
    "jfs"
    "minix"
    "nilfs2"
    "ntfs"
    "omfs"
    "qnx4"
    "qnx6"
    "sysv"
    "ufs"
  ];

  nix.settings.allowed-users = mkDefault ["@users"];
}