Add some security modules
diff --git a/modules/apparmor.nix b/modules/apparmor.nix
index fddd363..64ebd34 100644
--- a/modules/apparmor.nix
+++ b/modules/apparmor.nix
@@ -18,19 +18,31 @@
profile default_deny /** { }
'';
enforce = false;
- enable = true;
+ enable = false;
};
sudo = {
profile = ''
- ${config.security.wrapperDir}/sudo {
- file rwlkUx,
+ ${pkgs.sudo}/bin/sudo {
+ file /** rwlkUx,
}
'';
+ enforce = false;
+ enable = false;
+ };
+
+ nix = {
+ profile = ''
+ ${pkgs.nix}/bin/nix {
+ unconfined,
+ }
+ '';
+ enforce = false;
+ enable = false;
};
};
};
- services.dbus.apparmor = "required";
+ services.dbus.apparmor = "disabled";
};
}
diff --git a/modules/firewall.nix b/modules/firewall.nix
index 09045f4..54943a9 100644
--- a/modules/firewall.nix
+++ b/modules/firewall.nix
@@ -1,3 +1,3 @@
{
- networking.firewall.enable = true;
+ config.networking.firewall.enable = true;
}
diff --git a/modules/security.nix b/modules/security.nix
index fe3b333..889e44d 100644
--- a/modules/security.nix
+++ b/modules/security.nix
@@ -11,6 +11,12 @@
services.fprintd.enable = true;
environment.persistence."/nix/persist".directories = [ "/var/lib/fprint" ];
+ security.auditd.enable = true;
+ services.syslogd.enable = true;
+ services.syslogd.extraConfig = ''
+ *.* -/var/log/syslog
+ '';
+ services.journald.forwardToSyslog = true;
security.apparmor = {
enable = true;
killUnconfinedConfinables = true;