I’ve been using Nix as my daily driver, the atomic system/package manager were some of the main things that attracted me to it + avoiding telemetry of proprietary OSes and software freedom.
While I do know however that, having a strong secure boot and sandboxing on Linux is something difficult (and it won’t be as strong as other OSes) I still wanna know what would be recommended, since I want good malware protection (basically, ensuring that if an application gets compromised, the malware will stay contained in there and not escape to the whole system, and after reboot the malware will no longer be persisted, Man in the Middle/Evil Maid attacks are something not so likely on my threat model but I feel having a protection against these would be good as well)
and, one thing I thought considering NixOS reproducibility:
is there already a privacyguides community configuration.nix? I feel this would be a good project to make, a configuration.nix for the maximum privacy and security as possible that everyone could just copy and get going on their system
About sandboxing, really the only way is to wrap everything with Bubblewrap. This is very difficult though and will take a lot of trial and error to make your applications work properly in the sandbox. There is also GNU Guix. It has proper container support that can be wrapped any application. IMO it is a lot better than NixOS’s implementation. NixOS does have somewhat (?) of a container implementation: NixOS Containers - NixOS Wiki.
Of course, there is just normal Flatpak too with can then be used with Flatseal. Though, it does somewhat defeat the declarative nature of NixOS.
Regarding privacy and security configs, there’s a hardened.nix profile in the nixos repos:
I also enable MAC randomization, sudo-rs, various wayland envars, and automatic updates in my own config, but I also disable some of the settings in hardened.nix which break functionality I want:
I’m curious tho, how did you implement automatic updates in your own config if you don’t mind sharing? (manually updating it every week is a bit of a bore sometimes)
#automatically deploy updates
system.autoUpgrade = {
enable = true;
operation = "boot"; #deploys update as new boot entry. use the default setting of "switch" for immediate effect.
};
FYI the hardened profile is up for removal. I currently use nix-mineral as inspiration for hardening my systems. You can try out nix-bwrapper or nixpak for sandboxing Nix packages. There’s also nix-flatpak for declarative Flatpak management. Also, a Nixpkgs contributor has started improving AppArmor support for NixOS. There’s also a PR for adding SELinux support.
is there already a privacyguides community configuration.nix? I feel this would be a good project to make, a configuration.nix for the maximum privacy and security as possible that everyone could just copy and get going on their system
There isn’t a “one size fits all” solution for security and privacy. One of the reasons why the hardened profile is being removed is because “it is difficult to manage user expectations, especially since the implications of enabling it are not always obvious, and as multiple contributors have noted, it is often more of a “grab bag” of settings than a cohesive security policy.” You need to make changes based on your threat model.