NixOS it's strengths, weaknesses and how to fix them

[Victor M]

Hi Everyone,

The last few weeks I have been experimenting with NixOS. Nix & NixOS | Declarative builds and deployments

It's main strength to me is that it offers package upgrade Batch integrity. The entire batch of packages being upgraded will fail if the stream is tampered with. It is better than just offering to check each individual package for validity; batch checks means nobody can deliberately insert malicious dual purpose app or a package with chosen vulnerabilities into your upgrade batch.

It has one single 'configuration.nix' configuration file where you specify everything, configure everything for your installation or upgrade. So there are no multiple .conf files to manage. And it makes for a very simple fresh install process, you just install the OS the first time, copy over your own configuration file and rebuild.

And it doesn't follow standard the standard Linux directory layout. There is still an /etc directory, but all of the normal editable '.conf' configuration files are links to the read-only directory /nix/store. And individual packages are also stored in that read only mounted volume. So there is some security via obscurity - normal Linux scripted attacks won't work.

NixOS has it's own way of specifying configurations, and it is with pre-defined 'options' which you can add to your 'configuration.nix' file. The options range from a single xxx.enable=yes to xxx.parameter= "..." . There is an option where you can add to the built in firewall rules. You have to find out available options here: https://nixos.org/manual/nixos/stable/options The fact that there exists 'options' for you to specify, means that things have been thought out, planned, and tested. And it is a good thing.

From browsing the available options, I see that NixOS has a focus on development teams, because there are option settings for collaboration servers of all sorts.

You also specify what packages to include in your 'configuration.nix' . You can find out what packages are available here: NixOS Search

Once you have finished specifying your changes in your 'configuration.nix', you do a build with the command 'nixos-rebuild switch'. It will reconfigure itself; download whatever new packages you added, and then you reboot.

NixOS offers rollback capability due to it keeping versions of each change. The boot menu just grows with each rebuild. When you wish to get rid of the old versions, there is a garbage collection command.

NixOS also has built in virtualization capabilities, just like Window's HyperV. It is intended for developers to build and test their software. I have not explored this facet.

NixOS also support apparmor, the mandatory access control at each program level. Since this distro uses a non-standard folder layout, and changeable guid directory names to package binaries, I would imagine it's usefulness would be limited.

-------------------------------------
Now, for the short comings. There is a command 'nix-env' and you can install any package interactively with 'nix-env -i myDesiredPackage' like in any normal distro. This command, however is executable by the whole world because of it's file permissions. You cannot restrict it via sudo. The work around is to manually re-mount the volume /nix/store as read-write; then change that permission by doing 'sudo chmod o-x ... ' and then re-mount the volume as read-only. And you have to remember to manually do that after each rebuild. It is hard to automate this because the /nix/store uses changeable guid folder names below. Someone explained away this configuration design fault to me as due to the distro being 'libre software', and they don't want to restrict the user's freedom. What security baloney.

An attacker that has made it onto an account can also use the command 'curl' to install software. This command is built in also and is also world executable. You have to find the current build's guid directory and change it's permission after every build.

The main thing I cannot live with is that the distro needs to be online when you re-build. Some changes do not require one to be online, but I find that to be unpredictable.And worse, is that the default install comes with very little software. Programs like Gnome Backup and Libre Office do not come standard. You can't do a restore from backup without Gnome Backup. So you Have to go online at least once, when your configuration is at it's weakest state - no needed firewall rules in place; un-needed daemons are not hardened; and so on. The best way to install an OS is to install it offline, configure and harden it, then expose it to the world.

So if you can live with the short comings I've identified, or think nothing of it, you are welcome to experiment and make additional improvements. I will be posting my current work-in-progress 'configuration.nix' file in the next post to this thread.

 

[Bot]

Hello,

Thanks for your detailed evaluation of NixOS. It's clear that you appreciate its strengths in package integrity, simplicity of the configuration file, and unique directory layout.

Regarding the concerns you've raised, it's true that the 'nix-env' command's permissions could pose a security risk, and the need to go online for a rebuild can be inconvenient. As an open-source project, NixOS is always open to improvements, and user feedback is invaluable.

Your workaround for the 'nix-env' permissions issue is a good start, although it's not ideal that it requires manual intervention. Hopefully, this can be addressed in future updates.

As for the need to be online during a rebuild, it's a valid concern. Perhaps the NixOS community could work on an offline installation feature or include more default software in future releases.

Looking forward to seeing your 'configuration.nix' file and hearing more about your journey with NixOS. Your feedback is beneficial for the continuous development of this OS.

Happy experimenting!

 

[Victor M]

Hi Everybody,

Here is the 'configuration.nix' configuration file for setting up and configuring NixOS. It belongs in the /etc/nixos directory.

The primary focus of the config is security. For example, I have a $25 YubiKey, which is a thin offline USB insert that Google helped popularize offering 2nd factor authentication. And I have added the necessary packages, and included comments on how to set it up. This 2nd factor is added to logins and sudo commands.

I have also inserted some firewall rules which drops unwanted packets early, and overrides what the default firewall rules accept. For example, packets that are of the 'new' state should never happen in a home setting; you reach outbound with your browser; send requests to the web site, and the returning traffic from the web site are of the state 'established'. So you can safely drop all 'new' packets. An attack would create 'new' packets. One would only encounter legit 'new' packets when one has a web server and thus have un-before seen incoming traffic. Windows Defender firewall rules doesn't have this capability. You should also drop tcp dport 6000:6007 traffic, they allow connections to an old Xwindows entry point, you have been warned. Firewall rules are your first line of defense, but there are ways around firewalls; like manipulating ip fragments and firewall optimisation behaviour. So the next thing to do is the reduce the amount of software and daemons ( services) that runs. Every unnecessary piece adds to your 'attack surface': your running pieces are potentially targets of exploits. Systemd is responsible for executing daemons like svchost is responsible for starting services in Windows. But Linix has hardening options which can be added to each service's configuration text file: like restricting it from affecting the kernel, accessing your home folders, manipulating devices, denying any IP traffic, and many more. Then there are useless standard programs that come along with Gnome, my chosen windows manager. And there is a place to specify which ones to eliminate. It's like going to Settings / Apps and removing programs like Sticky Notes ( which requires an MS account and lets MS read your notes and offer to sell additional things to you) . Except in NixOS, you do it all in one text file, set it up once, and it can be re-used and re-applied whenever you do a re-install, without repeating thru all the manual labor.

My additions are preceded with the comments '###MY', Anyways, here it is:
# Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). { config, pkgs, ... }: { imports = [ ./restrict-nix-env.nix # Path to your module file # Include the results of the hardware scan. ./hardware-configuration.nix ]; # imports = [ # ./restrict-nix-env.nix # Path to your module file # ]; # lib.mkForce = "/etc/nixos/configuration.nix"; # Bootloader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; networking.hostName = "nixos"; # Define your hostname. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. #####MY CHANGES networking.enableIPv6 = false; # networking.tcpcrypt.enable = true ; # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; # Enable networking networking.networkmanager.enable = true; # Set your time zone. time.timeZone = "America/California"; # Select internationalisation properties. i18n.defaultLocale = "en_US.UTF-8"; # Enable the X11 windowing system. services.xserver.enable = true; # Enable GNOME Desktop Environment. services.xserver.displayManager.gdm.enable = true; services.xserver.desktopManager.gnome.enable = true; # Configure keymap in X11 services.xserver = { layout = "us"; xkbVariant = ""; }; # Enable CUPS to print documents. # services.printing.enable = true; ###MY CHANGE services.ipp-usb.enable = false; services.printing.enable = false; services.avahi.enable = false; networking.firewall.package = pkgs.iptables; networking.firewall.enable = true; networking.firewall.extraCommands = "iptables -I INPUT 1 -f -j DROP iptables -I INPUT 2 -m state --state NEW -j DROP iptables -I INPUT 3 -p tcp --tcp-flags ALL ALL -j DROP iptables -I INPUT 4 -p tcp --tcp-flags ALL NONE -j DROP iptables -I INPUT 5 -p tcp --dport 6000:6007 -j DROP iptables -I INPUT 6 -p udp --dport 6000:6007 -j DROP iptables -I INPUT 7 -p tcp --dport 22:23 -j DROP iptables -I INPUT 8 -m state --state RELATED -j DROP; iptables -I INPUT 9 -p tcp --dport 5353 -j DROP; iptables -I INPUT 10 -p udp --dport 5353 -j DROP; "; networking.firewall.allowedTCPPorts = [ 443 ]; ###MY CONFIG SECURITY security.apparmor.enable = true; nix.settings.sandbox = true; #programs.firefox = { # package = pkgs.firefox ; # security.sandbox = pkgs.sandboxed; # Basic sandbox with some restrictions # OR (for more granular control) # security.sandbox = pkgs.firefox.apparmor; # }; # Rest of your configuration # Enable sound with pipewire. sound.enable = true; hardware.pulseaudio.enable = false; ###MY CHANGES hardware.pulseaudio.support32Bit = true; # hardware.pulseaudio.extraConfig = "load-module module-combine-sink"; security.rtkit.enable = true; services.pipewire = { enable = true; alsa.enable = false; alsa.support32Bit = true; pulse.enable = true; # If you want to use JACK applications, uncomment this #jack.enable = true; # use the example session manager (no others are packaged yet so this is enabled by default, # no need to redefine it in your config for now) #media-session.enable = true; }; # Enable touchpad support (enabled default in most desktopManager). # services.xserver.libinput.enable = true; # Define a user account. Don't forget to set a password with ‘passwd’. users.users.victor = { isNormalUser = true; description = "victor"; extraGroups = [ "networkmanager" "wheel" ]; packages = with pkgs; [ # thunderbird ]; }; services.pcscd.enable = true; security.pam.yubico = { enable = true; # debug = true; control = "required" ; mode = "challenge-response"; ### challenge response need to write configuration to yubikey with yubikey personalization tool, installed below ### then a "challenge* file is written to ~/.yubico with the command "ykpamcfg -2 -v" ### id generated by : nix-shell --command 'ykinfo -s' -p yubikey-personalization id = [ "xxxxxxx" ]; }; ###MY USER 2 users.users.user2 = { isNormalUser = true; description = "User2"; packages = with pkgs; [ # thunderbird ]; }; # Allow unfree packages ###MY CHANGE nixpkgs.config.allowUnfree = true ; # List packages installed in system profile. To search, run: # $ nix search wget ###MY PACKAGES environment.systemPackages = with pkgs; [ # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. # wget libreoffice gedit iftop deja-dup nmap opera yubioath-flutter yubikey-manager-qt yubikey-touch-detector yubikey-personalization-gui yubikey-manager pam_u2f yubikey-personalization libu2f-host yubico-pam chromium apparmor-pam apparmor-utils apparmor-parser apparmor-profiles apparmor-bin-utils apparmor-kernel-patches libapparmor strace ]; nixpkgs.config = { # allowUnfree = true; # Important: Set to true first ( ### already set above ) allowUnfreePredicate = pkg: builtins.elem pkg.name [ "opera" ]; }; environment.defaultPackages = [] ; ###MY CONFIG # Disable Deprecated media server services.dleyna-server.enable = false; ###MY CONFIG: HARDENIHNG services.gnome.rygel.enable = false; services.gnome.gnome-remote-desktop.enable = false; lib.mkForce = "services.gnome.evolution-data-server.enable = false; nix.settings.allowed-users = [ zzz ] ; systemd.services.nscd.serviceConfig = { ProtectHome=true; ProtectControlGroups = true; ProtectKernelModules = true; ProtectKernelTunables = true; # RestrictSUIDSGID = true; MemoryDenyWriteExecute = true; LockPersonality = true; IPAddressDeny = any; NoNewPrivileges = true; }; "; services.gnome.gnome-user-share.enable = false; ###MY HARDENING: The following disables ModemManager and other systemd daemons, by defining a pre-requisite of avahi.service; which depends on it's setting of 'enabled = false' above. systemd.services."reload-systemd-vconsole-setup".after = [ "avahi.service" ]; systemd.services."reload-systemd-vconsole-setup".requisite = [ "avahi.service" ]; systemd.services."getty@".after = [ "avahi.service" ]; systemd.services."getty@".requisite = [ "avahi.service" ]; systemd.services."colord".after = [ "avahi.service" ]; systemd.services."colord".requisite = [ "avahi.service" ]; systemd.services."network-local-commands".after = [ "avahi.service" ]; systemd.services."network-local-commands".requisite = [ "avahi.service" ]; systemd.services."bolt".after = [ "avahi.service" ]; systemd.services."bolt".requisite = [ "avahi.service" ]; systemd.services."ModemManager".after = [ "avahi.service" ]; systemd.services."ModemManager".requisite = [ "avahi.service" ]; systemd.services."wpa_supplicant".after = [ "avahi.service" ]; systemd.services."wpa_supplicant".requisite = [ "avahi.service" ]; services.geoclue2.enable = false ; nixpkgs.config.packageOverrides = pkgs: { # blacklistedPackage1 = null; # anotherBadPackage = null; sshd = null; }; ###MY HARDENING networking.useDHCP = false; services.dbus.implementation = "broker"; boot.initrd.systemd.dbus.enable = false; services.xserver.updateDbusEnvironment = false; systemd.services.dbus-broker.serviceConfig = { ProtectHome=true; ProtectControlGroups = true; ProtectKernelModules = true; ProtectKernelTunables = true; RestrictSUIDSGID = true; MemoryDenyWriteExecute = true; LockPersonality = true; IPAddressDeny = "any"; NoNewPrivileges = true; }; systemd.services.accounts-daemon.serviceConfig = { ProtectHome=true; ProtectControlGroups = true; ProtectKernelModules = true; ProtectKernelTunables = true; # RestrictSUIDSGID = true; MemoryDenyWriteExecute = true; LockPersonality = true; IPAddressDeny = "any"; NoNewPrivileges = true; }; ###This is an official option, but it doesnt work to disable wpa_supplicant # networking.wireless.enable = false ; ###MY CHANGE # disable all music things since I cant find the name of the 'music' app services.polaris.enable = false ; services.navidrome.enable = false ; services.gonic.enable = false ; services.mpd.enable = false ; services.mopidy.enable = false ; services.jmusicbot.enable = false ; programs.geary.enable = false; ###MY ADDITIONS, things I dont use environment.gnome.excludePackages = with pkgs; [ gnome.gnome-music gnome.totem ]; ###MY CHANGE. This is supposed to stop the desired protocols networking.extraHosts = "0.0.0.0 multicast 0.0.0.0 bootpc" ; services.prometheus.exporters.modemmanager.enable = false ; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. # programs.mtr.enable = true; # programs.gnupg.agent = { # enable = true; # enableSSHSupport = true; # }; # List services that you want to enable: # Enable the OpenSSH daemon. # services.openssh.enable = true; # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. # networking.firewall.enable = false; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "23.11"; # Did you read the comment? }

 

[Victor M]

Made some changes to have a partially secure configuration. You need to do a 2 stage installation process.

First you change Gnome Settings > Networking > and set the network Ethernet and WiFi to manual and to use a static ip, and also you turn off Automatic DNS and give it your favourite DNS severs, like '9.9.9.9,149.112.112.112' which specifies Quad9. The use of a manual ip will get rid of the bootp protocol, which can be a attack vector.

Then you add these lines to the default '/etc/nixos/confguration.nix' . These lines give you a set of modified firewall rules. You don't need to be on-line, the change do not need fetching online things.

services.printing.enable = false; # networking.enableIPv6 = false; services.avahi.enable = false; # services.ipp-usb.enable = false; networking.firewall.enable = true; networking.useDHCP = false; networking.firewall.extraCommands = "iptables -I INPUT 1 -f -j DROP iptables -I INPUT 2 -m state --state NEW -j DROP iptables -I INPUT 3 -p tcp --tcp-flags ALL ALL -j DROP iptables -I INPUT 4 -p tcp --tcp-flags ALL NONE -j DROP iptables -I INPUT 5 -p tcp --dport 6000:6007 -j DROP iptables -I INPUT 6 -p udp --sport 68 -j DROP iptables -I INPUT 7 -p tcp --sport 68 -j DROP iptables -I INPUT 8 -m state --state RELATED -j DROP iptables -I INPUT 9 -p tcp --dport 5353 -j DROP iptables -I INPUT 10 -p udp --dport 5353 -j DROP ";

Now do a 'sudo nixos-rebuild switch' . This puts the firewall rules into effect.


Then issue this command: 'sudo nix-channel --add channels.nixos.org/nixos-unstable nixos'
If the command doesn't work, add 'https://' in front of that channel, MT changed it to something else when I had the https:// in front.
This sets the update channel to unstable, which gives you the most recent packages.
Additionally, some of the options below depends on the unstable channel.


Then you use the following 'configuration.nix':
# Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). { config, pkgs, ... }: { imports = [ ./restrict-nix-env.nix # Path to your module file # Include the results of the hardware scan. ./hardware-configuration.nix ]; # imports = [ # ./restrict-nix-env.nix # Path to your module file # ]; # lib.mkForce = "/etc/nixos/configuration.nix"; # Bootloader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; networking.hostName = "nixos"; # Define your hostname. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. #####MY CHANGES networking.enableIPv6 = false; # networking.tcpcrypt.enable = true ; # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; # Enable networking networking.networkmanager.enable = true; # Set your time zone. # Select internationalisation properties. i18n.defaultLocale = "en_US.UTF-8"; # Enable the X11 windowing system. services.xserver.enable = true; # Enable GNOME Desktop Environment. services.xserver.displayManager.gdm.enable = true; services.xserver.desktopManager.gnome.enable = true; # Configure keymap in X11 services.xserver = { layout = "us"; xkbVariant = ""; }; # Enable CUPS to print documents. # services.printing.enable = true; ###MY CHANGE services.ipp-usb.enable = false; services.printing.enable = false; services.avahi.enable = false; networking.firewall.package = pkgs.iptables; networking.firewall.enable = true; networking.firewall.extraCommands = "iptables -I INPUT 1 -f -j DROP iptables -I INPUT 2 -m state --state NEW,RELATED -j DROP iptables -I INPUT 3 -p tcp --tcp-flags ALL ALL -j DROP iptables -I INPUT 4 -p tcp --tcp-flags ALL NONE -j DROP iptables -I INPUT 5 -p tcp --dport 6000:6007 -j DROP iptables -I INPUT 6 -p udp --sport 68 -j DROP iptables -I INPUT 7 -p tcp --sport 68 -j DROP iptables -I INPUT 7 -p tcp --dPort 22:23 -j DROP iptables -I INPUT 9 -p tcp --dport 5353 -j DROP; iptables -I INPUT 10 -p udp --dport 5353 -j DROP; "; networking.firewall.allowedTCPPorts = [ 443 ]; ###MY CONFIG SECURITY security.apparmor.enable = true; nix.settings.sandbox = true; # Enable sound with pipewire. sound.enable = true; hardware.pulseaudio.enable = false; ###MY CHANGES hardware.pulseaudio.support32Bit = true; # hardware.pulseaudio.extraConfig = "load-module module-combine-sink"; security.rtkit.enable = true; services.pipewire = { enable = true; alsa.enable = false; alsa.support32Bit = true; pulse.enable = true; # If you want to use JACK applications, uncomment this #jack.enable = true; # use the example session manager (no others are packaged yet so this is enabled by default, # no need to redefine it in your config for now) #media-session.enable = true; }; # Enable touchpad support (enabled default in most desktopManager). # services.xserver.libinput.enable = true; # Define a user account. Don't forget to set a password with ‘passwd’. users.users.victor = { isNormalUser = true; description = "Victor"; extraGroups = [ "networkmanager" "wheel" ]; packages = with pkgs; [ # thunderbird ]; }; services.pcscd.enable = true; security.pam.yubico = { enable = true; # debug = true; control = "required" ; mode = "challenge-response"; ### challenge response need to write configuration to yubikey with yubikey personalization tool, installed below ### then a "challenge* file is written to ~/.yubico with the command "ykpamcfg -2 -v" ### id generated by : nix-shell --command 'ykinfo -s' -p yubikey-personalization id = [ "11084705" ]; }; users.users.user2 = { isNormalUser = true; description = "User2"; packages = with pkgs; [ # thunderbird ]; }; # Allow unfree packages nixpkgs.config.allowUnfree = true ; ###MY PACKAGES environment.systemPackages = with pkgs; [ # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. # wget libreoffice gedit iftop deja-dup nmap # opera yubioath-flutter yubikey-manager-qt yubikey-touch-detector yubikey-personalization-gui yubikey-manager pam_u2f yubikey-personalization libu2f-host yubico-pam chromium apparmor-pam apparmor-utils apparmor-parser apparmor-profiles apparmor-bin-utils apparmor-kernel-patches libapparmor strace ]; nixpkgs.config = { # allowUnfree = true; # Important: Set to true first allowUnfreePredicate = pkg: builtins.elem pkg.name [ "opera" ]; }; environment.defaultPackages = [] ; ###MY CONFIG # Disable Deprecated media server services.dleyna-server.enable = false; ###MY CONFIG # HARDENIHNG services.gnome.rygel.enable = false; services.gnome.gnome-remote-desktop.enable = false; lib.mkForce = "services.gnome.evolution-data-server.enable = false; nix.settings.allowed-users = [ zzz ] ; systemd.services.nscd.serviceConfig = { ProtectHome=true; ProtectControlGroups = true; ProtectKernelModules = true; ProtectKernelTunables = true; # RestrictSUIDSGID = true; MemoryDenyWriteExecute = true; LockPersonality = true; IPAddressDeny = any; NoNewPrivileges = true; }; "; services.gnome.gnome-user-share.enable = false; ### The following disables ModemManager, by defining a pre-requisite of avahi.service; which depends on its enabled = false. systemd.services."reload-systemd-vconsole-setup".after = [ "avahi.service" ]; systemd.services."reload-systemd-vconsole-setup".requisite = [ "avahi.service" ]; systemd.services."getty@".after = [ "avahi.service" ]; systemd.services."getty@".requisite = [ "avahi.service" ]; systemd.services."colord".after = [ "avahi.service" ]; systemd.services."colord".requisite = [ "avahi.service" ]; systemd.services."network-local-commands".after = [ "avahi.service" ]; systemd.services."network-local-commands".requisite = [ "avahi.service" ]; systemd.services."bolt".after = [ "avahi.service" ]; systemd.services."bolt".requisite = [ "avahi.service" ]; systemd.services."ModemManager".after = [ "avahi.service" ]; systemd.services."ModemManager".requisite = [ "avahi.service" ]; systemd.services."wpa_supplicant".after = [ "avahi.service" ]; systemd.services."wpa_supplicant".requisite = [ "avahi.service" ]; services.geoclue2.enable = false ; nixpkgs.config.packageOverrides = pkgs: { # blacklistedPackage1 = null; # anotherBadPackage = null; sshd = null; }; networking.useDHCP = false; services.dbus.implementation = "broker"; boot.initrd.systemd.dbus.enable = false; services.xserver.updateDbusEnvironment = false; systemd.services.dbus-broker.serviceConfig = { ProtectHome=true; ProtectControlGroups = true; ProtectKernelModules = true; ProtectKernelTunables = true; RestrictSUIDSGID = true; MemoryDenyWriteExecute = true; LockPersonality = true; IPAddressDeny = "any"; NoNewPrivileges = true; }; systemd.services.accounts-daemon.serviceConfig = { ProtectHome=true; ProtectControlGroups = true; ProtectKernelModules = true; ProtectKernelTunables = true; # RestrictSUIDSGID = true; MemoryDenyWriteExecute = true; LockPersonality = true; IPAddressDeny = "any"; NoNewPrivileges = true; }; ] # disable all music things since I cant find the name of the 'music' app services.polaris.enable = false ; services.navidrome.enable = false ; services.gonic.enable = false ; services.mpd.enable = false ; services.mopidy.enable = false ; services.jmusicbot.enable = false ; programs.geary.enable = false; environment.gnome.excludePackages = with pkgs; [ # pkgs.gnome-music.org gnome.gnome-music gnome.totem ]; networking.extraHosts = "0.0.0.0 multicast 0.0.0.0 bootpc" ; services.prometheus.exporters.modemmanager.enable = false ; # List services that you want to enable: # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "23.11"; # Did you read the comment? }

Remember to reboot.

Today 2024-04-24, the package deja-dup did not install as requested in the 'configuration.nix'. Maybe it is due to using the unstable channel.
So I have to do 'nix-env -i deja-dup' .
This installs the Gnome Backup program, without which you cannot restore from backup.

Now do this to mount /nix/store as writable: 'sudo /run/wrappers/bin/mount -o remount,rw /nix/store'

Next, do a 'whereis nix'. This gives you the base location of the 'nix-env' command and 'nixos-rebuild' command.
Use 'ls -la' to follow the path revealed.
Copy the found path, and do a 'ls -la' with that path.
Repeat until you find the true location, not just a link, where it will show you the file permssions, which includes o+x.
Then do 'sudo chmod o-x' with the correct path which is not a link.

Repeat the steps above changing the permissions of curl.

Now reboot. This will re-mount /nix/store to be read-only again as intended by the distro.

Remember you have to repeat these 2 things: changing file permissions of nix and curl whenever you rebuild. Or anybody who gains access to your account will be able to install anything they wish.

 

[Brahman]

It's a revolutionary concept in Linux distro space. But it's a steep learning curve as it deviates from the standard Linux directory layout and as a result troubleshooting becomes a tedious process. I tried it once but soon came to the conclusion that it is not for me. Yes it's ultra secure but I doubt whether it can be even called as a Linux distro, it's more like "looks like linux, feels like Linux" kind of thing.