Is nix-mineral as secure as secureblue? where do you think it lacks? (and also what is the closest to this that exists on Arch?)

nix-mineral is a NixOS module for system hardening for security improvements, from reading the nix-mineral.nix file, I notice that many of the features of secureblue (such as kernel hardening etc) are also replicated on nix-mineral, so I wonder, are they about the same in terms of security or how behind is it compared to secureblue?

and I’m also curious about the Arch Linux crowd on what is a similar approach/config to this over on Arch Linux (since I’ve been thinking on doing an Arch install on some other computer for sometimes testing stuff out)

It is behind, considerably. To mention one good example:

“Enable AppArmor and kill all processes that have an AppArmor profile but aren’t confined”

The security model in NixOS can’t get automatic profile global MAC protection. Given its non-FHS compliance.

Most major distros FHS compliance can promote global profile MAC updates.

You configure Arch.

yeah I’ve noticed this too in the part of AppArmor/MAC stuff in general (which, is a bit of a complicated topic on NixOS ngl)

you have any examples of some configurations in Arch similar to secureblue? I think the closest I’ve ever done myself was Arch Linux with FDE, BTRFS + Snapper, Wayland and AppArmor and the linux_hardened kernel at the time (which I wouldn’t do today anymore lol) and I think I tried running the hardened_malloc too but didn’t fully understood how to implement it

I don’t have any example. I plan to create a Wiki here in the first quarter of 2026.