diff options
| -rw-r--r-- | flake.lock | 17 | ||||
| -rw-r--r-- | flake.nix | 3 | ||||
| -rw-r--r-- | hosts/shinji/default.nix | 1 | ||||
| -rw-r--r-- | hosts/shinji/hardware.nix | 5 | ||||
| -rw-r--r-- | lib/default.nix | 1 | ||||
| -rw-r--r-- | options.nix | 3 | ||||
| -rw-r--r-- | system/default.nix | 1 | ||||
| -rw-r--r-- | system/hardened.nix | 33 |
8 files changed, 60 insertions, 4 deletions
@@ -560,6 +560,22 @@ "type": "github" } }, + "nix-mineral": { + "flake": false, + "locked": { + "lastModified": 1761443828, + "narHash": "sha256-Dh6zq3IvLjU3wkmoM/5oVTQ0tIBn6Rm1KJ0Ri4k0yQQ=", + "owner": "cynicsketch", + "repo": "nix-mineral", + "rev": "395384ceabc7f1b04dc32fa92654f3cc3294f330", + "type": "github" + }, + "original": { + "owner": "cynicsketch", + "repo": "nix-mineral", + "type": "github" + } + }, "nixos-hardware": { "locked": { "lastModified": 1767070591, @@ -677,6 +693,7 @@ "hy3": "hy3", "hyprland": "hyprland", "hyprland-plugins": "hyprland-plugins", + "nix-mineral": "nix-mineral", "nixos-hardware": "nixos-hardware", "nixos-wsl": "nixos-wsl", "nixpkgs": "nixpkgs", @@ -44,6 +44,9 @@ preload-ng.inputs.nixpkgs.follows = "nixpkgs"; # nixos-hardware nixos-hardware.url = "github:nixos/nixos-hardware/master"; + # nix-mineral + nix-mineral.url = "github:cynicsketch/nix-mineral"; + nix-mineral.flake = false; }; outputs = { diff --git a/hosts/shinji/default.nix b/hosts/shinji/default.nix index 34e84ec..1ae7d56 100644 --- a/hosts/shinji/default.nix +++ b/hosts/shinji/default.nix @@ -99,4 +99,5 @@ bluetooth = true; network = true; tpm = true; + hardened = true; } diff --git a/hosts/shinji/hardware.nix b/hosts/shinji/hardware.nix index f1edca2..b35c2a2 100644 --- a/hosts/shinji/hardware.nix +++ b/hosts/shinji/hardware.nix @@ -30,13 +30,10 @@ boot.initrd.kernelModules = [ "vfio_pci" "vfio" - "vfio_iommu_type1" ]; boot.kernelModules = ["kvm-amd"]; boot.blacklistedKernelModules = ["nouveau"]; - boot.kernelParams = [ - "amd_iommu=on" - ]; + boot.kernelParams = []; boot.extraModulePackages = []; boot.supportedFilesystems = ["ntfs"]; diff --git a/lib/default.nix b/lib/default.nix index 006e638..bdd5adb 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -20,6 +20,7 @@ in { fingerprint network tpm + hardened minimal # Primary User user diff --git a/options.nix b/options.nix index 5093e8b..9753f99 100644 --- a/options.nix +++ b/options.nix @@ -280,6 +280,9 @@ in { tpm = mkEnableOption { description = "Enable system TPM"; }; + hardened = mkEnableOption { + description = "Hardened the NixOS system"; + }; minimal = mkEnableOption { description = "Install only required system services, drivers, and programs."; }; diff --git a/system/default.nix b/system/default.nix index 9e8ab90..be64ff0 100644 --- a/system/default.nix +++ b/system/default.nix @@ -15,6 +15,7 @@ ./bluetooth.nix ./desktop.nix ./fingerprint.nix + ./hardened.nix ./hardware.nix ./networking.nix ./sshd.nix diff --git a/system/hardened.nix b/system/hardened.nix new file mode 100644 index 0000000..91b653f --- /dev/null +++ b/system/hardened.nix @@ -0,0 +1,33 @@ +{ + lib, + config, + inputs, + ... +}: let + inherit (lib) mkIf; +in { + imports = [ + "${inputs.nix-mineral}/nix-mineral.nix" + ]; + + config = mkIf config.hardened { + nix-mineral = { + enable = true; + overrides = { + desktop = { + home-exec = true; + tmp-exec = true; + var-lib-exec = true; + hideproc-ptraceable = true; + skip-restrict-home-permission = true; + }; + performance = { + allow-smt = true; + }; + software-choice = { + secure-chrony = true; + }; + }; + }; + }; +} |