From dd12f2110cd278ac16fb6b07cecc7dc5560e57ae Mon Sep 17 00:00:00 2001 From: Freya Murphy Date: Wed, 31 Dec 2025 13:38:01 -0500 Subject: add hardening module --- flake.lock | 17 +++++++++++++++++ flake.nix | 3 +++ hosts/shinji/default.nix | 1 + hosts/shinji/hardware.nix | 5 +---- lib/default.nix | 1 + options.nix | 3 +++ system/default.nix | 1 + system/hardened.nix | 33 +++++++++++++++++++++++++++++++++ 8 files changed, 60 insertions(+), 4 deletions(-) create mode 100644 system/hardened.nix diff --git a/flake.lock b/flake.lock index be3408c..5509ee2 100644 --- a/flake.lock +++ b/flake.lock @@ -560,6 +560,22 @@ "type": "github" } }, + "nix-mineral": { + "flake": false, + "locked": { + "lastModified": 1761443828, + "narHash": "sha256-Dh6zq3IvLjU3wkmoM/5oVTQ0tIBn6Rm1KJ0Ri4k0yQQ=", + "owner": "cynicsketch", + "repo": "nix-mineral", + "rev": "395384ceabc7f1b04dc32fa92654f3cc3294f330", + "type": "github" + }, + "original": { + "owner": "cynicsketch", + "repo": "nix-mineral", + "type": "github" + } + }, "nixos-hardware": { "locked": { "lastModified": 1767070591, @@ -677,6 +693,7 @@ "hy3": "hy3", "hyprland": "hyprland", "hyprland-plugins": "hyprland-plugins", + "nix-mineral": "nix-mineral", "nixos-hardware": "nixos-hardware", "nixos-wsl": "nixos-wsl", "nixpkgs": "nixpkgs", diff --git a/flake.nix b/flake.nix index 7d17ed6..c82e0d3 100644 --- a/flake.nix +++ b/flake.nix @@ -44,6 +44,9 @@ preload-ng.inputs.nixpkgs.follows = "nixpkgs"; # nixos-hardware nixos-hardware.url = "github:nixos/nixos-hardware/master"; + # nix-mineral + nix-mineral.url = "github:cynicsketch/nix-mineral"; + nix-mineral.flake = false; }; outputs = { diff --git a/hosts/shinji/default.nix b/hosts/shinji/default.nix index 34e84ec..1ae7d56 100644 --- a/hosts/shinji/default.nix +++ b/hosts/shinji/default.nix @@ -99,4 +99,5 @@ bluetooth = true; network = true; tpm = true; + hardened = true; } diff --git a/hosts/shinji/hardware.nix b/hosts/shinji/hardware.nix index f1edca2..b35c2a2 100644 --- a/hosts/shinji/hardware.nix +++ b/hosts/shinji/hardware.nix @@ -30,13 +30,10 @@ boot.initrd.kernelModules = [ "vfio_pci" "vfio" - "vfio_iommu_type1" ]; boot.kernelModules = ["kvm-amd"]; boot.blacklistedKernelModules = ["nouveau"]; - boot.kernelParams = [ - "amd_iommu=on" - ]; + boot.kernelParams = []; boot.extraModulePackages = []; boot.supportedFilesystems = ["ntfs"]; diff --git a/lib/default.nix b/lib/default.nix index 006e638..bdd5adb 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -20,6 +20,7 @@ in { fingerprint network tpm + hardened minimal # Primary User user diff --git a/options.nix b/options.nix index 5093e8b..9753f99 100644 --- a/options.nix +++ b/options.nix @@ -280,6 +280,9 @@ in { tpm = mkEnableOption { description = "Enable system TPM"; }; + hardened = mkEnableOption { + description = "Hardened the NixOS system"; + }; minimal = mkEnableOption { description = "Install only required system services, drivers, and programs."; }; diff --git a/system/default.nix b/system/default.nix index 9e8ab90..be64ff0 100644 --- a/system/default.nix +++ b/system/default.nix @@ -15,6 +15,7 @@ ./bluetooth.nix ./desktop.nix ./fingerprint.nix + ./hardened.nix ./hardware.nix ./networking.nix ./sshd.nix diff --git a/system/hardened.nix b/system/hardened.nix new file mode 100644 index 0000000..91b653f --- /dev/null +++ b/system/hardened.nix @@ -0,0 +1,33 @@ +{ + lib, + config, + inputs, + ... +}: let + inherit (lib) mkIf; +in { + imports = [ + "${inputs.nix-mineral}/nix-mineral.nix" + ]; + + config = mkIf config.hardened { + nix-mineral = { + enable = true; + overrides = { + desktop = { + home-exec = true; + tmp-exec = true; + var-lib-exec = true; + hideproc-ptraceable = true; + skip-restrict-home-permission = true; + }; + performance = { + allow-smt = true; + }; + software-choice = { + secure-chrony = true; + }; + }; + }; + }; +} -- cgit v1.2.3-freya