kyra/security/audit.nix

@@ -1,29 +0,0 @@
-_: {
-  security = {
-    audit = {
-      enable = true;
-      failureMode = 2;
-      rules = [
-        "-a always,exit -F arch=b64 -S mount,umount2,swapon,swapoff -k fs_ops"
-        "-a always,exit -F arch=b64 -S init_module,delete_module,finit_module -k kernel_mods"
-        "-a always,exit -F arch=b64 -S bind,connect,accept -F success=0 -k net_violations"
-        "-w /run/secrets -p r -k secret_read"
-      ];
-    };
-
-    auditd = {
-      enable = true;
-      settings = {
-        flush = "incremental_async";
-        freq = 50;
-        max_log_file = 10;
-        num_logs = 3;
-        max_log_file_action = "rotate";
-        admin_space_left_action = "suspend";
-        disk_full_action = "suspend";
-        disk_error_action = "suspend";
-        log_format = "ENRICHED";
-      };
-    };
-  };
-}

kyra/security/defaults.nix

@@ -1,13 +0,0 @@
-_: {
-  security = {
-    unprivilegedUsernsClone = false;
-    forcePageTableIsolation = true;
-    allowSimultaneousMultithreading = false;
-    protectKernelImage = true;
-    lockKernelModules = true;
-
-    virtualisation = {
-      flushL1DataCache = "always";
-    };
-  };
-}

kyra/services/journalctl.nix

@@ -1,14 +0,0 @@
-_: {
-  services = {
-    journald = {
-      audit = true;
-      storage = "volatile";
-      rateLimitBurst = 1000;
-      rateLimitInterval = "30s";
-      extraConfig = ''
-        RuntimeMaxUse=128M
-        MaxRetentionSec=1day
-      '';
-    };
-  };
-}