grimm-nixos-laptop/hardening/default.nix

{
  lib,
  pkgs,
  ...
}:
{
  imports = [
    ./systemd
    ./ssh-as-sudo.nix
    ./apparmor
    ./opensnitch
    ./security.nix
  ];

  specialisation.unhardened.configuration = {
    services.opensnitch.enable = lib.mkForce false;
    security.apparmor.enable = lib.mkForce false;
  };
  #

  systemd.tpm2.enable = false;
  systemd.enableEmergencyMode = false;
  virtualisation.vswitch.enable = false;
  services.resolved.enable = false;
  security.unprivilegedUsernsClone = true;
  environment.defaultPackages = lib.mkForce [ ];
  environment.systemPackages = with pkgs; [ nano ];
}
cached and updated nix-index 2025-01-14 20:37:14 +01:00			`{`
			`lib,`
			`pkgs,`
			`...`
			`}:`
hardening WIP 2025-01-03 15:57:36 +01:00			`{`
			`imports = [`
systemd network hardening 2025-01-05 13:27:12 +01:00			`./systemd`
hardening WIP 2025-01-03 15:57:36 +01:00			`./ssh-as-sudo.nix`
clean up hardening 2025-01-10 12:50:01 +01:00			`./apparmor`
			`./opensnitch`
			`./security.nix`
hardening WIP 2025-01-03 15:57:36 +01:00			`];`

fixes and qol 2025-01-26 21:43:23 +01:00			`specialisation.unhardened.configuration = {`
			`services.opensnitch.enable = lib.mkForce false;`
			`security.apparmor.enable = lib.mkForce false;`
			`};`
			`#`
hardening WIP 2025-01-03 15:57:36 +01:00
			`systemd.tpm2.enable = false;`
			`systemd.enableEmergencyMode = false;`
			`virtualisation.vswitch.enable = false;`
fixes and qol 2025-01-26 21:43:23 +01:00			`services.resolved.enable = false;`
hardening WIP 2025-01-03 15:57:36 +01:00			`security.unprivilegedUsernsClone = true;`
cached and updated nix-index 2025-01-14 20:37:14 +01:00			`environment.defaultPackages = lib.mkForce [ ];`
			`environment.systemPackages = with pkgs; [ nano ];`
hardening WIP 2025-01-03 15:57:36 +01:00			`}`