Hey everyone. I’m sure this topic comes up, but I’m looking for some specific advice.
I’m new to NixOS (about 3 weeks in), just moved over after using Arch for the last 5 years.
My main goal is to build a setup with a really strong focus on OpSec. I’m a huge fan of the Qubes OS model (strong compartmentalization, disposable VMs, etc.), but I really want to leverage the declarative nature of NixOS for this. It seems perfect for a reproducible, secure system.
So, what are the best practices for this on Nix? Is anyone here running a similar high-security or Qubes-like setup? I’m wondering about the best way to manage disposable VMs, network isolation for different apps, and general system hardening, all in an idiomatic “Nix” way.
Basically, how are you guys approaching a hardened, OpSec-focused desktop on NixOS? Appreciate any pointers!
It’s not as secure as Qubes, but you can use nix-flatpak to manage flatpaks (containerized desktop applications, just make sure to remove any dangerous permissions with overrides), or you can use nixpak to sandbox nix packages in a similar manner though it’s way more manual. Of course, you can also do standard Linux hardening, like using the linux-hardened package (just make sure to set security.unprivilegedUsernsClone = true; or setuid bwrap so it doesn’t break flatpak and chrome sandboxing) or using a hardened malloc implementation (e.g. environment.memoryAllocator.provider = "graphene-hardened"; – doesn’t apply inside flatpaks).
In theory, with a wayland compositor and containerized applications, you can build a secure system, but there’s still a lot more surface area for an attacker than Qubes. At least it’s not as bad as normal Linux systems where as soon as you’ve exploited a desktop app you can go read ~/.ssh or write to ~/.bashrc.
Container-jailing all the things is pretty easy in multiple ways. A VM-based Nix-managed approach with more or less uniform security attention to all the moving parts is being built by SpectrumOS, and that’s a multi-year endeavour by now.
There’s experimental support for Qubes: GitHub - CertainLach/nixos-qubes: QubesOS packages and dom0 for NixOS — you will need to help and pick up the work if you want to drive Qubes isolation from a NixOS userspace.
1 Like