feat: hardening nixos desktops (#160)

* feat: hardening nixos desktops * refactor: move hardening to the root folder * feat: add nixpaks into nixpkgs via overlays * feat: nixpak - add netease music * docs: hardening * fix: nvidia * fix: disable apparmor & hardening profile to avoid neovim being killed * fix: firefox cursor & fonts
2026-04-25 09:28:27 +02:00 · 2024-09-05 23:59:39 +08:00
parent 773688a9e5
commit df9ca7aefa
21 changed files with 626 additions and 13 deletions
--- a/hardening/apparmor/default.nix
+++ b/hardening/apparmor/default.nix
@@ -0,0 +1,58 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  services.dbus.apparmor = "enabled";
+  security.apparmor = {
+    enable = true;
+
+    # kill process that are not confined but have apparmor profiles enabled
+    killUnconfinedConfinables = true;
+    packages = with pkgs; [
+      apparmor-utils
+      apparmor-profiles
+    ];
+
+    # apparmor policies
+    policies = {
+      "default_deny" = {
+        enforce = false;
+        enable = false;
+        profile = ''
+          profile default_deny /** { }
+        '';
+      };
+
+      "sudo" = {
+        enforce = false;
+        enable = false;
+        profile = ''
+          ${pkgs.sudo}/bin/sudo {
+            file /** rwlkUx,
+          }
+        '';
+      };
+
+      "nix" = {
+        enforce = false;
+        enable = false;
+        profile = ''
+          ${config.nix.package}/bin/nix {
+            unconfined,
+          }
+        '';
+      };
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    apparmor-bin-utils
+    apparmor-profiles
+    apparmor-parser
+    libapparmor
+    apparmor-kernel-patches
+    apparmor-pam
+    apparmor-utils
+  ];
+}