modules/nixos/defaults/security.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

{ lib, ... }:

# Much of this is sourced from https://xeiaso.net/blog/paranoid-nixos-2021-07-18/
{
  security = {
    apparmor.enable = lib.mkDefault true;
    audit.enable = lib.mkDefault true;
    auditd.enable = lib.mkDefault true;

    pam.services = {
      # Fix `run0`
      # TODO: Upstream?
      systemd-run0 = {
        startSession = true;
        setEnvironment = true;
      };
    };

    polkit.enable = true;

    sudo = {
      enable = lib.mkDefault false;
      execWheelOnly = true;
    };
  };

  services.dbus.apparmor = lib.mkDefault "enabled";
}