Security Branch
The security branch collects hardening and state-protection leaves.
Up: branches
Down: networking leaf | security leaf | persist | secrets | SSH leaf
What this branch does
The declaration is simple.
config.my.branches.security = {
description = "Dendritic security branch for host hardening modules.";
};The leaves provide firewall defaults, nftables, kernel sysctls, AppArmor, sudo hardening, impermanence, SOPS integration, SSH configuration, GPG, mail, and password-manager tooling.
Why it exists
Security behavior cuts across the system. It affects networking, boot assumptions, persistence, user secrets, and service exposure. A branch makes that cross-cutting concern selectable without mixing all of it into unrelated leaves.
Balanced and hardened modes
Some leaves read my.profile.security.level and add stricter settings only when the level is hardened.
let
isHardened = config.my.profile.security.level == "hardened";
in {
networking.firewall = {
enable = true;
} // lib.optionalAttrs isHardened {
allowPing = false;
};
}