58 lines
1.9 KiB
Nix
58 lines
1.9 KiB
Nix
{ ... }:
|
|
{
|
|
config.dendritic.features.security-systemd = {
|
|
features = [
|
|
"security-systemd-ask-password-console"
|
|
"security-systemd-ask-password-wall"
|
|
"security-systemd-auditd"
|
|
# "security-systemd-dbus" using dbus-broker
|
|
"security-systemd-display-manager"
|
|
# "security-systemd-getty"
|
|
"security-systemd-journald"
|
|
"security-systemd-machined"
|
|
"security-systemd-ncsd"
|
|
"security-systemd-networkmanager"
|
|
"security-systemd-networkmanager-dispatcher"
|
|
"security-systemd-nix-daemon"
|
|
"security-systemd-reload-vconsole"
|
|
"security-systemd-rescue"
|
|
"security-systemd-rtkit"
|
|
"security-systemd-sshd"
|
|
"security-systemd-udevd"
|
|
#"security-systemd-user"
|
|
];
|
|
|
|
nixosModules = [
|
|
(
|
|
{ lib, ... }:
|
|
{
|
|
services = {
|
|
# mDNS/DNS-SD
|
|
avahi.enable = false;
|
|
# Geoclue (location services)
|
|
geoclue2.enable = false;
|
|
# udisks2.enable = false;
|
|
# accounts-daemon.enable = lib.mkDefault false;
|
|
};
|
|
# Only needed for WWAN/3G/4G modems, otherwise it runs `mmcli` unnecessarily
|
|
networking.modemmanager.enable = false;
|
|
# Bluetooth has a long history of vulnerabilities
|
|
hardware.bluetooth.enable = false;
|
|
# Prefer manual upgrades on a hardened system
|
|
system.autoUpgrade.enable = false;
|
|
|
|
systemd.coredump.enable = false;
|
|
# ➡️ Sets the kernel's resource limit (ulimit -c 0)
|
|
security.pam.loginLimits = [
|
|
{
|
|
domain = "*"; # Applies to all users/sessions
|
|
type = "-"; # Set both soft and hard limits
|
|
item = "core"; # The soft/hard limit item
|
|
value = "0"; # Core dumps size is limited to 0 (effectively disabled)
|
|
}
|
|
];
|
|
}
|
|
)
|
|
];
|
|
};
|
|
}
|