5 files changed, 55 insertions, 0 deletions

diff --git a/modules/nixos/defaults/default.nix b/modules/nixos/defaults/default.nix
new file mode 100644
index 0000000..bcd3554
--- /dev/null
+++ b/modules/nixos/defaults/default.nix
@@ -0,0 +1,8 @@
+{
+  imports = [
+    ./nix.nix
+    ./programs.nix
+    ./security.nix
+    ./users.nix
+  ];
+}
diff --git a/modules/nixos/defaults/nix.nix b/modules/nixos/defaults/nix.nix
new file mode 100644
index 0000000..8716f00
--- /dev/null
+++ b/modules/nixos/defaults/nix.nix
@@ -0,0 +1,10 @@
+{ lib, ... }:
+{
+  nix = {
+    channel.enable = lib.mkDefault false;
+    settings.trusted-users = [
+      "root"
+      "@wheel"
+    ];
+  };
+}
diff --git a/modules/nixos/defaults/programs.nix b/modules/nixos/defaults/programs.nix
new file mode 100644
index 0000000..c7d655f
--- /dev/null
+++ b/modules/nixos/defaults/programs.nix
@@ -0,0 +1,6 @@
+{
+  programs = {
+    git.enable = true;
+    vim.defaultEditor = true;
+  };
+}
diff --git a/modules/nixos/defaults/security.nix b/modules/nixos/defaults/security.nix
new file mode 100644
index 0000000..65ce729
--- /dev/null
+++ b/modules/nixos/defaults/security.nix
@@ -0,0 +1,13 @@
+# Much of this is sourced from https://xeiaso.net/blog/paranoid-nixos-2021-07-18/
+{ lib, ... }:
+{
+  security = {
+    apparmor.enable = lib.mkDefault true;
+    audit.enable = lib.mkDefault true;
+    auditd.enable = lib.mkDefault true;
+    polkit.enable = true;
+    sudo.execWheelOnly = true;
+  };
+
+  services.dbus.apparmor = lib.mkDefault "enabled";
+}
diff --git a/modules/nixos/defaults/users.nix b/modules/nixos/defaults/users.nix
new file mode 100644
index 0000000..0cec52a
--- /dev/null
+++ b/modules/nixos/defaults/users.nix
@@ -0,0 +1,18 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  users = {
+    defaultUserShell = pkgs.bash;
+    mutableUsers = false;
+
+    users.root = {
+      home = lib.mkDefault "/root";
+      uid = config.ids.uids.root;
+      group = "root";
+    };
+  };
+}