weinturm-infra/modules/security.nix

{
  boot = {
    tmp.cleanOnBoot = true;
    kernel.sysctl = {
      "kernel.kptr_restrict" = 1;
      "kernel.yama.ptrace_scope" = 1;
      "kernel.kexec_load_disabled" = 1;
    };
    kernelParams = [
      "lockdown=integrity"
    ];
  };

  security = {
    polkit.enable = true;
    sudo.wheelNeedsPassword = false;
  };
}