add hardening module

1 files changed, 58 insertions, 0 deletions

diff --git a/system/hardened.nix b/system/hardened.nix
new file mode 100644
index 0000000..223b358
--- /dev/null
+++ b/system/hardened.nix
@@ -0,0 +1,58 @@
+{
+  lib,
+  config,
+  inputs,
+  ...
+}: let
+  inherit (lib) mkIf;
+in {
+  imports = [
+    inputs.nix-mineral.nixosModules.nix-mineral
+  ];
+
+  config = mkIf config.hardened {
+    nix-mineral = {
+      enable = true;
+      settings = {
+        debug = {
+          coredump = true;
+          zram = false;
+        };
+        network = {
+          icmp = {
+            cast = true;
+            ignore-all = false;
+          };
+        };
+        kernel = {
+          cpu-mitigations = "smt-on";
+          io-uring = true;
+          lockdown = true;
+          only-signed-modules = true;
+          pti = true;
+          sysrq = "none";
+        };
+        system = {
+          yama = "relaxed";
+        };
+      };
+      extras = {
+        kernel = {
+          intelme-kmodules = false;
+        };
+        system = {
+          secure-chrony = true;
+          unprivileged-userns = false;
+        };
+      };
+      filesystems = {
+        normal = {
+          # let me run shell scripts
+          # please and thank you
+          "/home".options.noexec = lib.mkForce false;
+          "/etc".options.noexec = lib.mkForce true;
+        };
+      };
+    };
+  };
+}