parts/modules/nixos/base/security.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

{
  lib,
  pkgs,
  ...
}: let
  inherit (lib) mkDefault;
in {
  security = {
    apparmor.enable = mkDefault true;
    audit.enable = mkDefault true;
    auditd.enable = mkDefault true;
    polkit.enable = mkDefault true;
    rtkit.enable = mkDefault true;
    sudo.execWheelOnly = true;
  };

  services.dbus.apparmor = mkDefault "enabled";

  users = {
    defaultUserShell = pkgs.bash;
    mutableUsers = false;
  };

  nix.settings = {
    trusted-users = ["root" "@wheel"];
  };
}