Security and Hardening

The darkone.system.security module progressively applies the ANSSI BP-028 🡕 (GNU/Linux) hardening recommendations. Each host chooses a level and a category; the appropriate rules activate automatically.

Module under development

ANSSI hardening is being stabilized. Increase the level progressively and test each host before production.

Level and category

darkone.system.security = {
  enable   = true;
  level    = "intermediary";   # minimal | intermediary | reinforced | high
  category = "server";         # base | client | server
};

Level	Purpose
minimal	Common base, any system (default)
intermediary	Recommended for almost all systems
reinforced	Sensitive or multi-user systems
high	Dedicated skills and budget (kernel recompilation)

Category	Purpose
base	Universal rules, always applied (default)
client	Workstation (desktop, USB, session, locking)
server	Server (hardened network, logging, exposed services)

Activation per rule

A rule activates if the module is enabled and the level covers its severity and the category matches and no exclusion tag or exception targets it.

Excluding a group of rules

Some rules break legitimate use cases. Disable a group by tag:

darkone.system.security.excludes = [ "needs-hibernation" "needs-jit" ];

Tag	Disables
kernel-recompile	Custom kernel rules (R15–R27)
no-ipv6	IPv6 disabling (R13, R22)
no-mac	MAC / AppArmor (R37, R45)
needs-hibernation	Preserves hibernation (laptops)
needs-jit	Allows JIT (Java, .NET, V8, Wasm)
needs-usb-hotplug	Disables USBGuard

Overriding a specific rule

A single rule can be bypassed with a mandatory rationale:

darkone.system.security.exceptions = {
  R9.rationale = "Rootless containers required during development.";
};

Side effects

Some rules hinder everyday use: noexec /tmp (R28), SMT disabled (R8), unsigned modules (R18). Check the module’s sideEffects comments before raising the level in production.

MAC, firewall, fail2ban

• MAC / AppArmor (R37, R45) : application confinement ; SELinux is structurally unsupported on NixOS (exceptions R46–R49 by default).
• Firewall & network : hardened by the server category (network module).
• fail2ban : bans IPs after repeated attempts ; service to enable in the catalogue.

Service confinement and boot

Two rules require an explicit decision from the administrator :

• systemd sandbox (R52, R55, R63) : full confinement applies to units declared in darkone.security.services.hardenedUnits — empty by default, since blind hardening would break services. Units are added on a case-by-case basis after testing.
• Boot and encryption (R3, R5, C6) : the module warns if Secure Boot or LUKS are not detected, but does not reconfigure the boot process. These protections are declared in the host’s disk configuration (disko, lanzaboote).

darkone.security.services.hardenedUnits = [ "nginx" "gitea" ];

Rules reference

The complete mapping of rules (R1–R80, C1–C12) is in the catalogue and the modules reference.