refactor(systemModule:security): split into modules and add kernel hardening

2024-04-29 18:45:37 +12:00 · 2024-04-29 18:45:37 +12:00 · 3a91848085
commit 3a91848085
parent 2c25c8c762
6 changed files with 322 additions and 53 deletions
--- a/system/modules/security/default.nix
+++ b/system/modules/security/default.nix
@ -1,55 +1,9 @@
-{ lib, config, pkgs, ... }:
-
-let
-  cfg = config.systemModules.security;
-in
-
 {
-  config = lib.mkIf cfg.enable {
-
-    environment.systemPackages = with pkgs; [
-      polkit_gnome
-    ];
-
-    programs = {
-      gnupg.agent = {
-        enable = true;
-        enableSSHSupport = true;
-      };
-      _1password = {
-        enable = true;
-      };
-      _1password-gui = {
-        enable = true;
-        polkitPolicyOwners = [ "ooks" ];
-      };
-    };
-    security = {
-      polkit = {
-        enable = true;
-      };
-      sudo = {
-        enable = true;
-        wheelNeedsPassword = false;
-      };
-      rtkit.enable = true;
-      pam.services.hyprlock = {};
-    };
-
-    systemd = {
-      user.services.polkit-gnome-authentication-agent-1 = {
-        description = "polkit-gnome-authentication-agent-1";
-        wantedBy = [ "graphical-session.target" ];
-        wants = [ "graphical-session.target" ];
-        after = [ "graphical-session.target" ];
-        serviceConfig = {
-          Type = "simple";
-          ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
-          Restart = "on-failure";
-          RestartSec = 1;
-          TimeoutStopSec = 10;
-        };
-      };
-    };
-  };
+  import = [
+    ./1password
+    ./kernel
+    ./pam
+    ./polkit
+    ./sudo
+  ];
 }