initial commit

2026-04-15 18:26:05 -04:00 · 2026-04-15 18:26:05 -04:00 · ebc1be5217
commit ebc1be5217
143 changed files with 7721 additions and 0 deletions
--- a/modules/features/security/systemd/security-systemd-user.nix
+++ b/modules/features/security/systemd/security-systemd-user.nix
@ -0,0 +1,41 @@
+{ ... }:
+{
+  config.dendritic.features.security-systemd-user = {
+    nixosModules = [
+      (
+        { ... }:
+        {
+          systemd.services."user@".serviceConfig = {
+            ProtectSystem = "strict";
+            ProtectClock = true;
+            ProtectHostname = true;
+            ProtectKernelTunables = true;
+            ProtectKernelModules = true;
+            ProtectKernelLogs = true;
+            ProtectProc = "invisible";
+            PrivateTmp = true;
+            PrivateNetwork = true;
+            MemoryDenyWriteExecute = true;
+            RestrictAddressFamilies = [
+              "AF_UNIX"
+              "AF_NETLINK"
+              "AF_BLUETOOTH"
+            ];
+            RestrictNamespaces = true;
+            RestrictRealtime = true;
+            RestrictSUIDSGID = true;
+            SystemCallFilter = [
+              "~@keyring"
+              "~@swap"
+              "~@debug"
+              "~@module"
+              "~@obsolete"
+              "~@cpu-emulation"
+            ];
+            SystemCallArchitectures = "native";
+          };
+        }
+      )
+    ];
+  };
+}