This is an opinionated secure base config for your nixos system.
- Hardened Kernel
- Hardened Profile
<nixpkgs/nixos/modules/profiles/hardened.nix>
- Hardened OpenSSH
- Enabled Antivirus (ClamAV)
- Enabled AppArmor
- Enabled Auditing
- Enabled Fail2Ban (when SSH enabled)
- Enabled Logrotate (
⚠️ not configured) - Enabled PAM Passwd Requirements
- Enabled Sysstat
- Enabled USBGuard
- Encrypted DNS over TLS via Cloudflare
- Encrypted Network Time Security (NTS) via Cloudflare and System76
- Installed Chkrootkit (
⚠️ not on PATH) - Installed AIDE (
⚠️ not configured or on PATH) - Installed acct
With Lynis and this base config, the machine has a hardening score of 79/100.
Suggested 3GB of memory when using ClamAV, otherwise disable like so:
services.clamav = {
daemon.enable = false;
updater.enable = false;
};
{
description = "Your Flake";
inputs = {
nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";
secure-nix = {
url = "github:nealfennimore/secure-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = { self, nixpkgs, secure-nix }: {
nixosConfigurations = {
my_system = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = secure-nix.modules ++ [
./configuration.nix
];
};
};
};
}