diff options
| author | Freya Murphy <freya@freyacat.org> | 2025-12-31 13:38:01 -0500 |
|---|---|---|
| committer | Freya Murphy <freya@freyacat.org> | 2025-12-31 13:38:01 -0500 |
| commit | dd12f2110cd278ac16fb6b07cecc7dc5560e57ae (patch) | |
| tree | 27d6536846dcb5c88abf61fefa2194f55df48211 /system | |
| parent | switch to sudo-rs (diff) | |
| download | dotfiles-nix-dd12f2110cd278ac16fb6b07cecc7dc5560e57ae.tar.gz dotfiles-nix-dd12f2110cd278ac16fb6b07cecc7dc5560e57ae.tar.bz2 dotfiles-nix-dd12f2110cd278ac16fb6b07cecc7dc5560e57ae.zip | |
add hardening module
Diffstat (limited to 'system')
| -rw-r--r-- | system/default.nix | 1 | ||||
| -rw-r--r-- | system/hardened.nix | 33 |
2 files changed, 34 insertions, 0 deletions
diff --git a/system/default.nix b/system/default.nix index 9e8ab90..be64ff0 100644 --- a/system/default.nix +++ b/system/default.nix @@ -15,6 +15,7 @@ ./bluetooth.nix ./desktop.nix ./fingerprint.nix + ./hardened.nix ./hardware.nix ./networking.nix ./sshd.nix diff --git a/system/hardened.nix b/system/hardened.nix new file mode 100644 index 0000000..91b653f --- /dev/null +++ b/system/hardened.nix @@ -0,0 +1,33 @@ +{ + lib, + config, + inputs, + ... +}: let + inherit (lib) mkIf; +in { + imports = [ + "${inputs.nix-mineral}/nix-mineral.nix" + ]; + + config = mkIf config.hardened { + nix-mineral = { + enable = true; + overrides = { + desktop = { + home-exec = true; + tmp-exec = true; + var-lib-exec = true; + hideproc-ptraceable = true; + skip-restrict-home-permission = true; + }; + performance = { + allow-smt = true; + }; + software-choice = { + secure-chrony = true; + }; + }; + }; + }; +} |