{ lib, pkgs, ... }: let nsExec = pkgs.writeShellScriptBin "ns-raw" '' ns="$1" shift exec ${pkgs.iproute2}/bin/ip netns exec "$ns" \ ${pkgs.util-linux}/bin/setpriv \ --reuid="$DOAS_USER" --regid="$DOAS_USER" \ --clear-groups \ --inh-caps=-all \ "$@" ''; nsWrapper = pkgs.writeShellScriptBin "ns" '' exec /run/wrappers/bin/doas ${nsExec}/bin/ns-raw "$@" ''; in { imports = [ ./hardened.nix ./vfio.nix ./standard.nix # ./apparmor.nix ]; custom.kernel.hardened.enable = true; custom.kernel.vfio.enable = false; custom.kernel.standard.enable = true; # security.apparmor.enable = false; specialisation.unhardened.configuration = { custom.kernel.hardened.enable = lib.mkForce false; # security.apparmor.enable = lib.mkForce false; }; specialisation.vfio.configuration = { custom.kernel.vfio.enable = lib.mkForce true; custom.kernel.standard.enable = lib.mkForce false; }; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.enableRedistributableFirmware = true; hardware.cpu.amd.updateMicrocode = true; security.rtkit.enable = true; security.sudo.enable = false; security.doas = { enable = true; extraRules = [ { users = [ "user" ]; runAs = "root"; keepEnv = true; persist = true; } { users = [ "user" ]; runAs = "work"; noPass = true; keepEnv = false; } { users = [ "user" ]; runAs = "agent"; noPass = true; keepEnv = true; } { users = [ "user" "agent" "work" ]; runAs = "root"; noPass = true; keepEnv = true; cmd = "${nsExec}/bin/ns-raw"; } ]; }; environment.systemPackages = [ nsWrapper ]; security.pam.services.su.requireWheel = true; security.pam.services.newgrp.requireWheel = true; security.pam.services.login.text = '' # Account management. account required /nix/store/2hp2kc85zapzjaj9y22jf9xgwqmlsk6m-linux-pam-1.7.1/lib/security/pam_unix.so # unix (order 10900) # Authentication management. auth optional /nix/store/2hp2kc85zapzjaj9y22jf9xgwqmlsk6m-linux-pam-1.7.1/lib/security/pam_unix.so likeauth nullok # unix-early (order 11700) auth optional /nix/store/r7z6w4c2nq9cwjf0m2mjabpa0xy4c7d3-gnome-keyring-48.0/lib/security/pam_gnome_keyring.so # gnome_keyring (order 12200) auth sufficient /nix/store/2hp2kc85zapzjaj9y22jf9xgwqmlsk6m-linux-pam-1.7.1/lib/security/pam_unix.so likeauth nullok try_first_pass # unix (order 12900) auth required /nix/store/2hp2kc85zapzjaj9y22jf9xgwqmlsk6m-linux-pam-1.7.1/lib/security/pam_deny.so # deny (order 13700) # Password management. password sufficient /nix/store/2hp2kc85zapzjaj9y22jf9xgwqmlsk6m-linux-pam-1.7.1/lib/security/pam_unix.so nullok yescrypt # unix (order 10200) password optional /nix/store/r7z6w4c2nq9cwjf0m2mjabpa0xy4c7d3-gnome-keyring-48.0/lib/security/pam_gnome_keyring.so use_authtok # gnome_keyring (order 11100) # Session management. session required /nix/store/2hp2kc85zapzjaj9y22jf9xgwqmlsk6m-linux-pam-1.7.1/lib/security/pam_env.so conffile=/etc/pam/environment readenv=0 # env (order 10100) session required /nix/store/2hp2kc85zapzjaj9y22jf9xgwqmlsk6m-linux-pam-1.7.1/lib/security/pam_unix.so # unix (order 10200) session required /nix/store/2hp2kc85zapzjaj9y22jf9xgwqmlsk6m-linux-pam-1.7.1/lib/security/pam_loginuid.so # loginuid (order 10300) session optional /nix/store/wxyn8d3m8g4fnn6xazinjwhzhzdg6wib-systemd-259/lib/security/pam_systemd.so # systemd (order 12000) session required /nix/store/2hp2kc85zapzjaj9y22jf9xgwqmlsk6m-linux-pam-1.7.1/lib/security/pam_limits.so conf=/nix/store/zxagblabdf6xawphfs1w50pg2b0ml9px-limits.conf # limits (order 12200) session optional /nix/store/r7z6w4c2nq9cwjf0m2mjabpa0xy4c7d3-gnome-keyring-48.0/lib/security/pam_gnome_keyring.so auto_start # gnome_keyring (order 12600) ''; boot = { loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; }; kernelPackages = pkgs.linuxPackages_zen; kernelParams = [ "amd_iommu=on" ]; }; }