Security Leaf
cells/core/security.nix contributes host hardening to the security branch.
Up: core leaves
Down: security branch | AppArmor | OpenSSH
What this leaf does
It enables runtime security features, AppArmor, sudo restrictions, and a set of kernel and network sysctls. It also disables OpenSSH by default for workstation-style systems.
security = {
rtkit.enable = true;
protectKernelImage = true;
apparmor.enable = true;
sudo = {
enable = true;
execWheelOnly = true;
wheelNeedsPassword = true;
};
};
services.openssh.enable = false;Why it belongs to security
These settings form the default hardening layer. They are not desktop-specific, but they are also not always appropriate for every server role. Keeping them in security makes the profile explicit.
Hardened additions
When the security level is hardened, the leaf adds stricter kernel and network settings.
boot.kernel.sysctl = baseSysctls // lib.optionalAttrs isHardened {
"kernel.dmesg_restrict" = 1;
"kernel.perf_event_paranoid" = 3;
};