add hardening module

author: Freya Murphy <freya@freyacat.org> 2025-12-31 13:38:01 -0500
committer: Freya Murphy <freya@freyacat.org> 2025-12-31 21:20:20 -0500
commit: 478f6b2b4bdba66f02f0d1dfa3cff17f6133beee (patch)
tree: 906c18a56258f35b32ff9a4e76e15b53a1b7702f
parent: switch to sudo-rs (diff)
download: dotfiles-nix-478f6b2b4bdba66f02f0d1dfa3cff17f6133beee.tar.gz
dotfiles-nix-478f6b2b4bdba66f02f0d1dfa3cff17f6133beee.tar.bz2
dotfiles-nix-478f6b2b4bdba66f02f0d1dfa3cff17f6133beee.zip
8 files changed, 139 insertions, 5 deletions
diff --git a/flake.lock b/flake.lock
index be3408c..175ee62 100644
--- a/flake.lock
+++ b/flake.lock
@@ -98,6 +98,20 @@
       }
     },
     "flake-compat_2": {
+      "locked": {
+        "lastModified": 1733328505,
+        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
+        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
+        "revCount": 69,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.1.0/01948eb7-9cba-704f-bbf3-3fa956735b52/source.tar.gz?rev=ff81ac966bb2cae68946d5ed5fc4994f96d0ffec&revCount=69"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"
+      }
+    },
+    "flake-compat_3": {
       "flake": false,
       "locked": {
         "lastModified": 1765121682,
@@ -113,6 +127,24 @@
         "type": "github"
       }
     },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib"
+      },
+      "locked": {
+        "lastModified": 1754487366,
+        "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
     "flake-utils": {
       "inputs": {
         "systems": "systems_2"
@@ -560,6 +592,28 @@
         "type": "github"
       }
     },
+    "nix-mineral": {
+      "inputs": {
+        "flake-compat": "flake-compat_2",
+        "flake-parts": "flake-parts",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1767208067,
+        "narHash": "sha256-3FBQZeSwHLNcBbw3iwflg7ealdQ1j8FxIwog6WwxQJE=",
+        "owner": "cynicsketch",
+        "repo": "nix-mineral",
+        "rev": "b0b38893cdb32e92b8c3fae15d1516d5aab0113f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cynicsketch",
+        "repo": "nix-mineral",
+        "type": "github"
+      }
+    },
     "nixos-hardware": {
       "locked": {
         "lastModified": 1767070591,
@@ -578,7 +632,7 @@
     },
     "nixos-wsl": {
       "inputs": {
-        "flake-compat": "flake-compat_2",
+        "flake-compat": "flake-compat_3",
         "nixpkgs": [
           "nixpkgs"
         ]
@@ -613,6 +667,21 @@
         "type": "github"
       }
     },
+    "nixpkgs-lib": {
+      "locked": {
+        "lastModified": 1753579242,
+        "narHash": "sha256-zvaMGVn14/Zz8hnp4VWT9xVnhc8vuL3TStRqwk22biA=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "0f36c44e01a6129be94e3ade315a5883f0228a6e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "type": "github"
+      }
+    },
     "ny": {
       "flake": false,
       "locked": {
@@ -677,6 +746,7 @@
         "hy3": "hy3",
         "hyprland": "hyprland",
         "hyprland-plugins": "hyprland-plugins",
+        "nix-mineral": "nix-mineral",
         "nixos-hardware": "nixos-hardware",
         "nixos-wsl": "nixos-wsl",
         "nixpkgs": "nixpkgs",
diff --git a/flake.nix b/flake.nix
index 7d17ed6..9619893 100644
--- a/flake.nix
+++ b/flake.nix
@@ -44,6 +44,9 @@
     preload-ng.inputs.nixpkgs.follows = "nixpkgs";
     # nixos-hardware
     nixos-hardware.url = "github:nixos/nixos-hardware/master";
+    # nix-mineral
+    nix-mineral.url = "github:cynicsketch/nix-mineral";
+    nix-mineral.inputs.nixpkgs.follows = "nixpkgs";
   };
 
   outputs = {
diff --git a/hosts/shinji/default.nix b/hosts/shinji/default.nix
index 34e84ec..1ae7d56 100644
--- a/hosts/shinji/default.nix
+++ b/hosts/shinji/default.nix
@@ -99,4 +99,5 @@
   bluetooth = true;
   network = true;
   tpm = true;
+  hardened = true;
 }
diff --git a/hosts/shinji/hardware.nix b/hosts/shinji/hardware.nix
index f1edca2..b35c2a2 100644
--- a/hosts/shinji/hardware.nix
+++ b/hosts/shinji/hardware.nix
@@ -30,13 +30,10 @@
   boot.initrd.kernelModules = [
     "vfio_pci"
     "vfio"
-    "vfio_iommu_type1"
   ];
   boot.kernelModules = ["kvm-amd"];
   boot.blacklistedKernelModules = ["nouveau"];
-  boot.kernelParams = [
-    "amd_iommu=on"
-  ];
+  boot.kernelParams = [];
   boot.extraModulePackages = [];
   boot.supportedFilesystems = ["ntfs"];
 
diff --git a/lib/default.nix b/lib/default.nix
index 006e638..bdd5adb 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -20,6 +20,7 @@ in {
         fingerprint
         network
         tpm
+        hardened
         minimal
         # Primary User
         user
diff --git a/options.nix b/options.nix
index 5093e8b..9753f99 100644
--- a/options.nix
+++ b/options.nix
@@ -280,6 +280,9 @@ in {
     tpm = mkEnableOption {
       description = "Enable system TPM";
     };
+    hardened = mkEnableOption {
+      description = "Hardened the NixOS system";
+    };
     minimal = mkEnableOption {
       description = "Install only required system services, drivers, and programs.";
     };
diff --git a/system/default.nix b/system/default.nix
index 9e8ab90..be64ff0 100644
--- a/system/default.nix
+++ b/system/default.nix
@@ -15,6 +15,7 @@
     ./bluetooth.nix
     ./desktop.nix
     ./fingerprint.nix
+    ./hardened.nix
     ./hardware.nix
     ./networking.nix
     ./sshd.nix
diff --git a/system/hardened.nix b/system/hardened.nix
new file mode 100644
index 0000000..223b358
--- /dev/null
+++ b/system/hardened.nix
@@ -0,0 +1,58 @@
+{
+  lib,
+  config,
+  inputs,
+  ...
+}: let
+  inherit (lib) mkIf;
+in {
+  imports = [
+    inputs.nix-mineral.nixosModules.nix-mineral
+  ];
+
+  config = mkIf config.hardened {
+    nix-mineral = {
+      enable = true;
+      settings = {
+        debug = {
+          coredump = true;
+          zram = false;
+        };
+        network = {
+          icmp = {
+            cast = true;
+            ignore-all = false;
+          };
+        };
+        kernel = {
+          cpu-mitigations = "smt-on";
+          io-uring = true;
+          lockdown = true;
+          only-signed-modules = true;
+          pti = true;
+          sysrq = "none";
+        };
+        system = {
+          yama = "relaxed";
+        };
+      };
+      extras = {
+        kernel = {
+          intelme-kmodules = false;
+        };
+        system = {
+          secure-chrony = true;
+          unprivileged-userns = false;
+        };
+      };
+      filesystems = {
+        normal = {
+          # let me run shell scripts
+          # please and thank you
+          "/home".options.noexec = lib.mkForce false;
+          "/etc".options.noexec = lib.mkForce true;
+        };
+      };
+    };
+  };
+}
author	Freya Murphy <freya@freyacat.org>	2025-12-31 13:38:01 -0500
committer	Freya Murphy <freya@freyacat.org>	2025-12-31 21:20:20 -0500
commit	478f6b2b4bdba66f02f0d1dfa3cff17f6133beee (patch)
tree	906c18a56258f35b32ff9a4e76e15b53a1b7702f
parent	switch to sudo-rs (diff)
download	dotfiles-nix-478f6b2b4bdba66f02f0d1dfa3cff17f6133beee.tar.gz dotfiles-nix-478f6b2b4bdba66f02f0d1dfa3cff17f6133beee.tar.bz2 dotfiles-nix-478f6b2b4bdba66f02f0d1dfa3cff17f6133beee.zip