1 files changed, 27 insertions, 3 deletions

diff --git a/system/default.nix b/system/default.nix
index 0ee0414..9be2937 100644
--- a/system/default.nix
+++ b/system/default.nix
@@ -15,6 +15,7 @@
     ./bluetooth.nix
     ./desktop.nix
     ./fingerprint.nix
+    ./hardened.nix
     ./hardware.nix
     ./networking.nix
     ./sshd.nix
@@ -22,8 +23,18 @@
   ];
 
   # allow flakes
-  nix.settings.experimental-features = ["nix-command" "flakes"];
-  nix.settings.use-xdg-base-directories = true;
+  nix = {
+    channel.enable = false;
+    extraOptions = ''
+      warn-dirty = false
+    '';
+    settings = {
+      auto-optimise-store = true;
+      experimental-features = ["nix-command" "flakes"];
+      use-xdg-base-directories = true;
+      trusted-users = ["root" "@wheel"];
+    };
+  };
 
   # allow defined unfree packages
   nixpkgs.config.allowUnfreePredicate = pkg:
@@ -38,6 +49,8 @@
     tmpfsSize = "50%";
   };
 
+  services.seatd.enable = true;
+
   # use system packages in home manager
   home-manager.useGlobalPkgs = true;
 
@@ -89,6 +102,7 @@
     wget
   ];
 
+  environment.defaultPackages = lib.mkForce [];
   environment.systemPackages = config.extraPackages;
 
   # system shell
@@ -112,8 +126,11 @@
 
   # docs
   documentation = {
-    info.enable = false;
+    enable = true;
+    doc.enable = false;
+    man.enable = true;
     dev.enable = false;
+    info.enable = false;
     nixos.enable = false;
   };
 
@@ -131,4 +148,11 @@
 
   # certs
   security.pki.certificateFiles = inputs.self.lib.certs;
+
+  # sudo
+  security.sudo.enable = false;
+  security.sudo-rs = {
+    enable = true;
+    execWheelOnly = true;
+  };
 }