security update

Checklog:
1. Enabled `SELinux` patches
2. Enabled `tomoyo` Linux Security Module
3. Added snippet for `Mullvad VPN`
4. Added snippet for `containerd`
5. Added snippet for `firecracker`

README.md

@@ -40,6 +40,8 @@ This approach ensures that you stay on the forefront of technology, receiving th
 
 🚨Please note that the system utilizes **Podman** instead of **Docker** for containerization due to various reasons, primarily related to security (rootless and daemonless containers), easier migration to Kubernetes, availability of pods, compatibility with systemd, and better security for `distrobox`. If you prefer to use **Docker** instead of **Podman**, you can make the switch by commenting out the **Podman** section in the `configuration.nix` file and uncommenting the **Docker** section. More details on **Docker** configuration in NixOS can be found [here](https://nixos.wiki/wiki/Docker).
 
+The system also enables SELinux patches, as well as AppArmor and Tomoyo Linux Security Modules. It includes security daemons such as Fail2Ban and USBGuard, with Firejail preinstalled to meet your security requirements.
+
 You have the flexibility to customize these configurations according to your needs by modifying the respective configuration files.
 
 ## 🌟 Showcase

nixos/configuration.nix

@@ -17,7 +17,6 @@
   boot.loader.timeout = 2;
   boot.initrd.enable = true;
   boot.initrd.systemd.enable = true;
-  boot.kernelParams = [ "quiet" "fbcon=nodefer" "vt.global_cursor_default=0" "kernel.modules_disabled=1" "lsm=landlock,lockdown,yama,integrity,apparmor,bpf" "usbcore.autosuspend=-1" "video4linux" "acpi_rev_override=5" ];
   boot.plymouth = {
     enable = true;
     # logo = pkgs.fetchurl {
@@ -168,6 +167,28 @@
 
   # Linux Kernel
   boot.kernelPackages = pkgs.linuxKernel.packages.linux_testing;
+  boot.kernelParams = [ 
+    "quiet"
+    "fbcon=nodefer"
+    "vt.global_cursor_default=0"
+    "kernel.modules_disabled=1"
+    "lsm=landlock,lockdown,yama,integrity,apparmor,bpf,tomoyo,selinux"
+    "usbcore.autosuspend=-1"
+    "video4linux"
+    "acpi_rev_override=5"
+    "security=selinux"
+  ];
+  # boot.kernelPatches = [ {
+  #      name = "selinux-config";
+  #      patch = null;
+  #      extraConfig = '' 
+  #              SECURITY_SELINUX y
+  #              SECURITY_SELINUX_BOOTPARAM n
+  #              SECURITY_SELINUX_DEVELOP y
+  #              SECURITY_SELINUX_AVC_STATS y
+  #              DEFAULT_SECURITY_SELINUX n
+  #            '';
+  # } ];
 
   # Enable networking
   networking.networkmanager = {
@@ -271,6 +292,10 @@
     StateDirectory = "dnscrypt-proxy";
   };
 
+  # Enable Mullvad VPN
+  # services.mullvad-vpn.enable = true;
+  # services.mullvad-vpn.package = pkgs.mullvad; # `pkgs.mullvad` only provides the CLI tool, use `pkgs.mullvad-vpn` instead if you want to use the CLI and the GUI.
+
   # Enable MAC Randomize
   # systemd.services.macchanger = {
   #   enable = true;
@@ -339,6 +364,7 @@
   };
 
   # Systemd services setup
+  systemd.package = pkgs.systemd.override { withSelinux = true; };
   systemd.packages = with pkgs; [
     auto-cpufreq
   ];
@@ -391,7 +417,11 @@
   # Enable CUPS to print documents.
   # services.printing.enable = true;
   
-  # Enable container manager
+  ### Enable container manager
+
+  # Enable Containerd
+  # virtualisation.containerd.enable = true;
+
   # Enable Docker
   # virtualisation.docker.enable = true;
   # virtualisation.docker.rootless = {
@@ -399,6 +429,7 @@
   #   setSocketVariable = true;
   # };
   # users.extraGroups.docker.members = [ "xnm" ];
+
   # Enable Podman
   virtualisation = {
     podman = {
@@ -474,6 +505,7 @@
   # List packages installed in system profile. To search, run:
   # $ nix search wget
   environment.systemPackages = with pkgs; [
+    policycoreutils
     mold
     gcc13
     jdk11
@@ -526,13 +558,12 @@
     wasmi
     # wasm3
 
+    # mullvad-closest
     license-generator
     git-ignore
     just
     xh
     tgpt
-    distrobox
-    qemu
     wezterm
     cool-retro-term
     # mcfly # terminal history
@@ -573,6 +604,12 @@
     felix-fm
     chafa
 
+    # nerdctl
+    # firecracker
+    # firectl
+    # flintlock
+    distrobox
+    qemu
     podman-compose
     podman-tui