summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--modules/nixos/base/security.nix37
1 files changed, 26 insertions, 11 deletions
diff --git a/modules/nixos/base/security.nix b/modules/nixos/base/security.nix
index 5c015c7..66a1e7e 100644
--- a/modules/nixos/base/security.nix
+++ b/modules/nixos/base/security.nix
@@ -8,20 +8,35 @@ in
default = config.base.enable;
defaultText = lib.literalExpression "config.base.enable";
};
- };
- # much here is sourced from https://xeiaso.net/blog/paranoid-nixos-2021-07-18/
- config = lib.mkIf cfg.enable {
- security = {
- apparmor.enable = lib.mkDefault true;
- audit.enable = lib.mkDefault true; # TODO: do i really need to set this manually?
- auditd.enable = lib.mkDefault true; # ditto
- polkit.enable = lib.mkDefault true; # ditto
- sudo.execWheelOnly = true;
+ apparmor = lib.mkEnableOption "AppArmor support" // {
+ default = true;
};
- services = {
- dbus.apparmor = lib.mkDefault "enabled";
+ auditing = lib.mkEnableOption "auditing support" // {
+ default = true;
};
};
+
+ # much here is sourced from https://xeiaso.net/blog/paranoid-nixos-2021-07-18/
+ config = lib.mkIf cfg.enable (
+ lib.mkMerge [
+ {
+ security = {
+ polkit.enable = true;
+ sudo.execWheelOnly = true;
+ };
+ }
+ (lib.mkIf cfg.auditing {
+ security = {
+ audit.enable = true;
+ auditd.enable = true;
+ };
+ })
+ (lib.mkIf cfg.apparmor {
+ security.apparmor.enable = true;
+ services.dbus.apparmor = lib.mkDefault "enabled";
+ })
+ ]
+ );
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-06 17:11:16 +0000