system/hardened.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

{
  lib,
  config,
  inputs,
  ...
}: let
  inherit (lib) mkIf;
in {
  imports = [
    "${inputs.nix-mineral}/nix-mineral.nix"
  ];

  config = mkIf config.hardened {
    nix-mineral = {
      enable = true;
      overrides = {
        desktop = {
          home-exec = true;
          tmp-exec = true;
          var-lib-exec = true;
          hideproc-ptraceable = true;
          skip-restrict-home-permission = true;
        };
        performance = {
          allow-smt = true;
        };
        software-choice = {
          secure-chrony = true;
        };
      };
    };
  };
}