system/hardened.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58

{
  lib,
  config,
  inputs,
  ...
}: let
  inherit (lib) mkIf;
in {
  imports = [
    inputs.nix-mineral.nixosModules.nix-mineral
  ];

  config = mkIf config.hardened {
    nix-mineral = {
      enable = true;
      settings = {
        debug = {
          coredump = true;
          zram = false;
        };
        network = {
          icmp = {
            cast = true;
            ignore-all = false;
          };
        };
        kernel = {
          cpu-mitigations = "smt-on";
          io-uring = true;
          lockdown = true;
          only-signed-modules = true;
          pti = true;
          sysrq = "none";
        };
        system = {
          yama = "relaxed";
        };
      };
      extras = {
        kernel = {
          intelme-kmodules = false;
        };
        system = {
          secure-chrony = true;
          unprivileged-userns = false;
        };
      };
      filesystems = {
        normal = {
          # let me run shell scripts
          # please and thank you
          "/home".options.noexec = lib.mkForce false;
          "/etc".options.noexec = lib.mkForce true;
        };
      };
    };
  };
}