initial commit

modules/features/security/systemd/security-systemd.nix

@@ -0,0 +1,58 @@
+{ ... }:
+{
+  config.dendritic.features.security-systemd = {
+    features = [
+      "security-systemd-ask-password-console"
+      "security-systemd-ask-password-wall"
+      "security-systemd-auditd"
+      # "security-systemd-dbus" using dbus-broker
+      "security-systemd-display-manager"
+      # "security-systemd-getty"
+      "security-systemd-journald"
+      "security-systemd-machined"
+      "security-systemd-ncsd"
+      "security-systemd-networkmanager"
+      "security-systemd-networkmanager-dispatcher"
+      "security-systemd-nix-daemon"
+      "security-systemd-reload-vconsole"
+      "security-systemd-rescue"
+      "security-systemd-rtkit"
+      "security-systemd-sshd"
+      "security-systemd-udevd"
+      #"security-systemd-user"
+    ];
+
+    nixosModules = [
+      (
+        { lib, ... }:
+        {
+          services = {
+            # mDNS/DNS-SD
+            avahi.enable = false;
+            # Geoclue (location services)
+            geoclue2.enable = false;
+            # udisks2.enable = false;
+            # accounts-daemon.enable = lib.mkDefault false;
+          };
+          # Only needed for WWAN/3G/4G modems, otherwise it runs `mmcli` unnecessarily
+          networking.modemmanager.enable = false;
+          # Bluetooth has a long history of vulnerabilities
+          hardware.bluetooth.enable = false;
+          # Prefer manual upgrades on a hardened system
+          system.autoUpgrade.enable = false;
+
+          systemd.coredump.enable = false;
+          # ➡️ Sets the kernel's resource limit (ulimit -c 0)
+          security.pam.loginLimits = [
+            {
+              domain = "*"; # Applies to all users/sessions
+              type = "-"; # Set both soft and hard limits
+              item = "core"; # The soft/hard limit item
+              value = "0"; # Core dumps size is limited to 0 (effectively disabled)
+            }
+          ];
+        }
+      )
+    ];
+  };
+}