From ff98be13a310eeda08f32af5dae4ffa77d4d7245 Mon Sep 17 00:00:00 2001
From: s0me1newithhand7s <git+me@hand7s.org>
Date: Sun, 3 May 2026 19:04:59 +0300
Subject: [PATCH 1/3] kyra(hardening): audit & auditd init

Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
---
 kyra/security/audit.nix | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 kyra/security/audit.nix

diff --git a/kyra/security/audit.nix b/kyra/security/audit.nix
new file mode 100644
index 0000000..fb22289
--- /dev/null
+++ b/kyra/security/audit.nix
@@ -0,0 +1,29 @@
+_: {
+  security = {
+    audit = {
+      enable = true;
+      failureMode = 2;
+      rules = [
+        "-a always,exit -F arch=b64 -S mount,umount2,swapon,swapoff -k fs_ops"
+        "-a always,exit -F arch=b64 -S init_module,delete_module,finit_module -k kernel_mods"
+        "-a always,exit -F arch=b64 -S bind,connect,accept -F success=0 -k net_violations"
+        "-w /run/secrets -p r -k secret_read"
+      ];
+    };
+
+    auditd = {
+      enable = true;
+      settings = {
+        flush = "incremental_async";
+        freq = 50;
+        max_log_file = 10;
+        num_logs = 3;
+        max_log_file_action = "rotate";
+        admin_space_left_action = "suspend";
+        disk_full_action = "suspend";
+        disk_error_action = "suspend";
+        log_format = "ENRICHED";
+      };
+    };
+  };
+}

From d5d41960f4afba9e20e5d5294a137c405ce02d42 Mon Sep 17 00:00:00 2001
From: s0me1newithhand7s <git+me@hand7s.org>
Date: Sun, 3 May 2026 19:05:21 +0300
Subject: [PATCH 2/3] kyra(hardening): security defaults init

Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
---
 kyra/security/defaults.nix | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 kyra/security/defaults.nix

diff --git a/kyra/security/defaults.nix b/kyra/security/defaults.nix
new file mode 100644
index 0000000..ffd8c5a
--- /dev/null
+++ b/kyra/security/defaults.nix
@@ -0,0 +1,13 @@
+_: {
+  security = {
+    unprivilegedUsernsClone = false;
+    forcePageTableIsolation = true;
+    allowSimultaneousMultithreading = false;
+    protectKernelImage = true;
+    lockKernelModules = true;
+
+    virtualisation = {
+      flushL1DataCache = "always";
+    };
+  };
+}

From ceb94d7cb182f93fce6364ac01da3df30d6c8e4c Mon Sep 17 00:00:00 2001
From: s0me1newithhand7s <git+me@hand7s.org>
Date: Sun, 3 May 2026 19:05:41 +0300
Subject: [PATCH 3/3] kyra(hardening): journalctl audit settings

Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
---
 kyra/services/journalctl.nix | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 kyra/services/journalctl.nix

diff --git a/kyra/services/journalctl.nix b/kyra/services/journalctl.nix
new file mode 100644
index 0000000..ea895b3
--- /dev/null
+++ b/kyra/services/journalctl.nix
@@ -0,0 +1,14 @@
+_: {
+  services = {
+    journald = {
+      audit = true;
+      storage = "volatile";
+      rateLimitBurst = 1000;
+      rateLimitInterval = "30s";
+      extraConfig = ''
+        RuntimeMaxUse=128M
+        MaxRetentionSec=1day
+      '';
+    };
+  };
+}