Skip to content
Darkone NixOS Framework

Security modules

πŸ”‘ darkone.security.complement

Section titled β€œπŸ”‘ darkone.security.complement”

Cross-cutting complementary measures β€” Annex A (C1–C12). (wip)

These measures have no ANSSI number but are essential to the guide’s spirit. Covers linux-hardened patches (C1), Lockdown LSM (C2), USBGuard (C3), nftables deny-by-default (C4), hardened SSH (C5), LUKS2 (C6), NTP/NTS (C7), secure DNS (C8), disabled core dumps (C9), PAM anti brute-force (C10), legal banners (C11), and cron/at restriction (C12).

  • enable bool Enable complementary ANSSI measures (C1–C12).
  • lockdownLevel enum [ "none" "integrity" "confidentiality" ] Lockdown LSM level (C2)
  • lsmStack listOf str LSM stack order (C2, R11, R20). Modifies boot.kernelParams lsm=…
  • ntpServers listOf str NTP/NTS servers (C7).
  • useNts bool Enable NTS (Network Time Security) for NTP authentication (C7).
  • sshBanner str SSH banner displayed before authentication (C11).
  • cronAllowedUsers listOf str Users allowed to schedule cron jobs (C12).
  • egressAllowlist listOf str IP/CIDR allowed outbound for strict nftables egress filtering (C4).
darkone.security.complement = {
  enable = false;
  lockdownLevel = "integrity";
  lsmStack = [ ];
  ntpServers = [ ];
  useNts = true;
  sshBanner = ''
        *** Access restricted to authorized personnel ***
        All connections are logged and may be subject to prosecution.
      '';
  cronAllowedUsers = [ ];
  egressAllowlist = [ ];
};

πŸ”‘ darkone.security.filesystem

Section titled β€œπŸ”‘ darkone.security.filesystem”

Partitioning, file tree, and file permissions (R28–R29, R50–R57). (wip)

Covers secure mount options (R28), restriction of /boot (R29), permissions of sensitive files (R50), passwords kept out of the store (R51), sockets (R52), orphan files (R53), sticky bit (R54), per-user temporary directories (R55), and setuid (R56, R57).

  • enable bool Enable ANSSI filesystem hardening (R28–R29, R50–R57).
  • allowedSetuid listOf str Allowlist of tolerated setuid/setgid binaries (R56, R57).
darkone.security.filesystem = {
  enable = false;
  allowedSetuid = [ ];
};

πŸ”‘ darkone.security.integrity

Section titled β€œπŸ”‘ darkone.security.integrity”

Filesystem integrity β€” HIDS (R76–R77). (wip)

Covers sealing and integrity verification via AIDE (R76) and protection of the sealed database with GPG signature plus remote copy (R77).

  • enable bool Enable ANSSI HIDS integrity β€” AIDE (R76–R77).
  • aideRemoteCopy nullOr ( submodule { options = { host = lib.mkOption { type = str; description = "Remote host for the AIDE database copy."; }; sshKeyFile = lib.mkOption { type = path; description = "Path to the private SSH key for the remote copy."; }; }; } ) Remote copy of the GPG-signed AIDE database (R77). null = disabled.
    • host str Remote host for the AIDE database copy.
    • sshKeyFile path Path to the private SSH key for the remote copy.
darkone.security.integrity = {
  enable = false;
  aideRemoteCopy = null;
  aideRemoteCopy.host = null;
  aideRemoteCopy.sshKeyFile = null;
};

πŸ”‘ darkone.security.journaling

Section titled β€œπŸ”‘ darkone.security.journaling”

Logging and auditd (R71–R73). (wip)

Covers persistent logging with TLS forwarding (R71), per-service dedicated journals (R72), and auditd with ANSSI rules (R73).

  • enable bool Enable ANSSI logging and auditd (R71–R73).
darkone.security.journaling.enable = false;

πŸ”‘ darkone.security.kernel-build

Section titled β€œπŸ”‘ darkone.security.kernel-build”

Static kernel configuration β€” requires recompilation (R15–R27). (wip)

These rules require a custom kernel via boot.kernelPackages. NixOS allows this through structuredExtraConfig. All these rules carry the kernel-recompile tag: they are skipped if that tag is in excludes.

  • enable bool Enable the ANSSI kernel recompilation module (R15–R27).
darkone.security.kernel-build.enable = false;

πŸ”‘ darkone.security.kernel-params

Section titled β€œπŸ”‘ darkone.security.kernel-params”

Dynamic kernel configuration: boot parameters and sysctls (R8–R14). (wip)

Rules applicable without recompiling the kernel. Covers memory options (R8), system sysctls (R9), disabling module loading (R10), Yama/ptrace (R11), IPv4 network sysctls (R12), IPv6 disabling (R13), and filesystem sysctls (R14).

  • enable bool Enable ANSSI dynamic kernel parameters (R8–R14).
darkone.security.kernel-params.enable = false;

πŸ”‘ darkone.security.mac

Section titled β€œπŸ”‘ darkone.security.mac”

Mandatory Access Control β€” MAC (R37, R45–R49). (wip)

R37 is a meta rule: valid if at least R45 (AppArmor) or R46 (SELinux) is active. SELinux (R46–R49) is not supported on NixOS and is excluded by default via exceptions. AppArmor (R45) is partially supported.

  • enable bool Enable ANSSI MAC module β€” AppArmor/SELinux (R37, R45–R49).
darkone.security.mac.enable = false;

πŸ”‘ darkone.security.mta

Section titled β€œπŸ”‘ darkone.security.mta”

Local mail handling (R74–R75). (wip)

Covers the local MTA hardened to loopback-only (R74) and mail aliases routed to the administrator’s address (R75). These rules only apply if an MTA service is active (Postfix or OpenSMTPD).

  • enable bool Enable ANSSI MTA hardening (R74–R75).
darkone.security.mta.enable = false;

πŸ”‘ darkone.security.network

Section titled β€œπŸ”‘ darkone.security.network”

Network services β€” isolation and supervision (R78–R80). (wip)

Covers isolation of network services (R78: server category), hardening and monitoring of exposed services (R79: fail2ban, HTTP headers, ANSSI TLS) and reduction of the network surface (R80).

  • enable bool Enable ANSSI network hardening (R78–R80).
  • exposedServices listOf str Public services for which fail2ban and supervision will be enabled (R79).
  • publicListeners listOf str Services allowed to listen on 0.0.0.0 / :: (R80).
  • httpsHeaders bool Adds ANSSI HTTP security headers in Nginx/Caddy (R79).
  • tlsCiphers listOf str ANSSI TLS cipher suite for Nginx (R79).
darkone.security.network = {
  enable = false;
  exposedServices = [ ];
  publicListeners = [ ];
  httpsHeaders = true;
  tlsCiphers = [ ];
};

πŸ”‘ darkone.security.nss

Section titled β€œπŸ”‘ darkone.security.nss”

NSS β€” Remote user databases (R69–R70). (wip)

Rules applicable only if an external NSS is active (SSSD, nslcd). Not currently relevant for DNF; see what can be done with Kanidm + PAM.

Covers hardening of remote databases (R69: TLS mandatory) and separation of system and directory accounts (R70).

  • enable bool Enable ANSSI NSS hardening (R69–R70).
darkone.security.nss.enable = false;

πŸ”‘ darkone.security.packages

Section titled β€œπŸ”‘ darkone.security.packages”

Package management and updates (R58–R61). (wip)

Covers installing only what is strictly necessary (R58), trusted repositories (R59), hardened repositories (R60: linux_hardened), and regular updates (R61).

  • enable bool Enable ANSSI package management (R58–R61).
  • trustedSubstituters listOf str Allowlist of authorized Nix binary caches (R59).
  • trustedPublicKeys listOf str Public keys for authorized binary caches (R59).
darkone.security.packages = {
  enable = false;
  trustedSubstituters = [ ];
  trustedPublicKeys = [ ];
};

πŸ”‘ darkone.security.pam

Section titled β€œπŸ”‘ darkone.security.pam”

PAM β€” Authentication and password storage (R67–R68). (wip)

Covers secure remote PAM authentication (R67: SSSD, Kerberos, pam_faillock) and encrypted password storage (R68: yescrypt).

  • enable bool Enable ANSSI PAM module β€” authentication and passwords (R67–R68).
darkone.security.pam.enable = false;

πŸ”‘ darkone.security.preboot

Section titled β€œπŸ”‘ darkone.security.preboot”

Hardware configuration and secure boot (R1–R7). (wip)

Covers UEFI Secure Boot (R3), lanzaboote, bootloader password (R5), signed UKIs (R6), and IOMMU (R7). R1 and R2 (hardware/firmware) are out of NixOS scope and only produce a note in the report.

  • enable bool Enable ANSSI secure boot β€” Secure Boot, IOMMU (R1–R7).
darkone.security.preboot.enable = false;

πŸ”‘ darkone.security.services

Section titled β€œπŸ”‘ darkone.security.services”

Hardening of systemd services (R62–R66). (wip)

Covers disabling unnecessary services (R62), reducing functionality via systemd security options (R63), privilege restriction (R64), isolation (R65), and hardening of containerization components (R66).

  • enable bool Enable ANSSI hardening of systemd services (R62–R66).
  • rootServicesAllowed listOf str systemd services allowed to run as root without CapabilityBoundingSet (R64).
darkone.security.services = {
  enable = false;
  rootServicesAllowed = [ ];
};

πŸ”‘ darkone.security.sudo

Section titled β€œπŸ”‘ darkone.security.sudo”

sudo hardening (R38–R44). (wip)

Covers the dedicated sudo group (R38), hardened sudo directives (R39), restriction of non-root targets (R40), NOEXEC limitation (R41), forbidding negations (R42), explicit argument specification (R43), and use of sudoedit (R44).

  • enable bool Enable ANSSI sudo hardening (R38–R44).
  • allowedRootRules listOf str sudo rules allowed to target root (R40). Others must target a service account.
darkone.security.sudo = {
  enable = false;
  allowedRootRules = [ ];
};

πŸ”‘ darkone.security.users

Section titled β€œπŸ”‘ darkone.security.users”

User accounts and authentication (R30–R36). (wip)

Covers unused accounts (R30), password policy (R31), inactivity locking (R32), admin accountability (R33), service accounts (R34), unique service accounts (R35), and umask (R36).

  • enable bool Enable ANSSI account management (R30–R36).
darkone.security.users.enable = false;