nixos-system-config/modules/nixos/core/security.nix

{ ... }:

{
  programs.gnupg.agent = {
    enable = true;
    enableSSHSupport = true;
  };

  /*
   * Sudo is scheduled to be replaced by systemd's run0.
   * The blocker for this is persistent authentication support.
   *
   * https://github.com/systemd/systemd/issues/33366
   * https://github.com/polkit-org/polkit/issues/472
   */
  security.sudo = {
    enable = true;
    execWheelOnly = true;
    extraConfig = ''
      Defaults  lecture="never"
    '';
  };

  security.apparmor.enable = true;
  networking.firewall.enable = true;

  /* Disable the root user */
  users = {
    users.root.hashedPassword = "!";
    mutableUsers = false;
  };

  sops.age.keyFile = "/nix/config/keys.txt";
}
last cope 2025-01-20 00:29:00 +01:00			`{ ... }:`
Progress rewrite further 2025-01-10 23:38:56 +01:00
			`{`
More configuration progression 2025-01-11 02:00:28 +01:00			`programs.gnupg.agent = {`
Progress rewrite further 2025-01-10 23:38:56 +01:00			`enable = true;`
			`enableSSHSupport = true;`
			`};`

			`/*`
			`* Sudo is scheduled to be replaced by systemd's run0.`
			`* The blocker for this is persistent authentication support.`
			`*`
			`* https://github.com/systemd/systemd/issues/33366`
			`* https://github.com/polkit-org/polkit/issues/472`
			`*/`
			`security.sudo = {`
			`enable = true;`
			`execWheelOnly = true;`
			`extraConfig = ''`
			`Defaults lecture="never"`
			`'';`
			`};`

			`security.apparmor.enable = true;`
			`networking.firewall.enable = true;`

			`/* Disable the root user */`
			`users = {`
			`users.root.hashedPassword = "!";`
			`mutableUsers = false;`
			`};`
gn 2025-01-19 03:05:43 +01:00
last cope 2025-01-20 00:29:00 +01:00			`sops.age.keyFile = "/nix/config/keys.txt";`
Progress rewrite further 2025-01-10 23:38:56 +01:00			`}`