modules: better document most things

author: seth <[email protected]> 2024-07-09 06:45:24 -0400
committer: seth <[email protected]> 2024-07-09 15:38:51 -0400
commit: 6368272cdeec8c69800b4e7645402914f48e5c33 (patch)
tree: f5e321fac25da065bff0480a63b0031eee00a031 /modules/nixos/base/security.nix
parent: 74159b94f662fc737f5614bdd29fd76bf27cee27 (diff)
1 files changed, 5 insertions, 3 deletions
diff --git a/modules/nixos/base/security.nix b/modules/nixos/base/security.nix
index 12d6f7e..5c015c7 100644
--- a/modules/nixos/base/security.nix
+++ b/modules/nixos/base/security.nix
@@ -6,15 +6,17 @@ in
   options.base.security = {
     enable = lib.mkEnableOption "basic security settings" // {
       default = config.base.enable;
+      defaultText = lib.literalExpression "config.base.enable";
     };
   };
 
+  # much here is sourced from https://xeiaso.net/blog/paranoid-nixos-2021-07-18/
   config = lib.mkIf cfg.enable {
     security = {
       apparmor.enable = lib.mkDefault true;
-      audit.enable = lib.mkDefault true;
-      auditd.enable = lib.mkDefault true;
-      polkit.enable = lib.mkDefault true;
+      audit.enable = lib.mkDefault true; # TODO: do i really need to set this manually?
+      auditd.enable = lib.mkDefault true; # ditto
+      polkit.enable = lib.mkDefault true; # ditto
       sudo.execWheelOnly = true;
     };
author	seth <[email protected]>	2024-07-09 06:45:24 -0400
committer	seth <[email protected]>	2024-07-09 15:38:51 -0400
commit	6368272cdeec8c69800b4e7645402914f48e5c33 (patch)
tree	f5e321fac25da065bff0480a63b0031eee00a031 /modules/nixos/base/security.nix
parent	74159b94f662fc737f5614bdd29fd76bf27cee27 (diff)