nixos/base: make security module more customizable

1 files changed, 26 insertions, 11 deletions

diff --git a/modules/nixos/base/security.nix b/modules/nixos/base/security.nix
index 5c015c7..66a1e7e 100644
--- a/modules/nixos/base/security.nix
+++ b/modules/nixos/base/security.nix
@@ -8,20 +8,35 @@ in
       default = config.base.enable;
       defaultText = lib.literalExpression "config.base.enable";
     };
-  };
 
-  # much here is sourced from https://xeiaso.net/blog/paranoid-nixos-2021-07-18/
-  config = lib.mkIf cfg.enable {
-    security = {
-      apparmor.enable = lib.mkDefault true;
-      audit.enable = lib.mkDefault true; # TODO: do i really need to set this manually?
-      auditd.enable = lib.mkDefault true; # ditto
-      polkit.enable = lib.mkDefault true; # ditto
-      sudo.execWheelOnly = true;
+    apparmor = lib.mkEnableOption "AppArmor support" // {
+      default = true;
     };
 
-    services = {
-      dbus.apparmor = lib.mkDefault "enabled";
+    auditing = lib.mkEnableOption "auditing support" // {
+      default = true;
     };
   };
+
+  # much here is sourced from https://xeiaso.net/blog/paranoid-nixos-2021-07-18/
+  config = lib.mkIf cfg.enable (
+    lib.mkMerge [
+      {
+        security = {
+          polkit.enable = true;
+          sudo.execWheelOnly = true;
+        };
+      }
+      (lib.mkIf cfg.auditing {
+        security = {
+          audit.enable = true;
+          auditd.enable = true;
+        };
+      })
+      (lib.mkIf cfg.apparmor {
+        security.apparmor.enable = true;
+        services.dbus.apparmor = lib.mkDefault "enabled";
+      })
+    ]
+  );
 }