From 22f2e258af4786c8504c9b20f7047757dfc9a0ea Mon Sep 17 00:00:00 2001
From: Tristan Ross <tristan.ross@midstall.com>
Date: Fri, 16 May 2025 15:31:50 -0700
Subject: [PATCH] nixos/security: add landlock, yama, and bpf defaults

---
 nixos/modules/security/default.nix | 34 +++++++++++++++++++-----------
 1 file changed, 22 insertions(+), 12 deletions(-)

diff --git a/nixos/modules/security/default.nix b/nixos/modules/security/default.nix
index c8baad1a3dd9..5170383d6f5e 100644
--- a/nixos/modules/security/default.nix
+++ b/nixos/modules/security/default.nix
@@ -5,7 +5,7 @@ in
 {
   options = {
     security.lsm = lib.mkOption {
-      type = lib.types.uniq (lib.types.listOf lib.types.str);
+      type = lib.types.listOf lib.types.str;
       default = [ ];
       description = ''
         A list of the LSMs to initialize in order.
@@ -13,16 +13,26 @@ in
     };
   };
 
-  config = lib.mkIf (lib.lists.length cfg.lsm > 0) {
-    assertions = [
-      {
-        assertion = builtins.length (lib.filter (lib.hasPrefix "security=") config.boot.kernelParams) == 0;
-        message = "security parameter in boot.kernelParams cannot be used when security.lsm is used";
-      }
-    ];
+  config = lib.mkMerge [
+    {
+      # We set the default LSM's here due to them not being present if set when enabling AppArmor.
+      security.lsm = [
+        "landlock"
+        "yama"
+        "bpf"
+      ];
+    }
+    (lib.mkIf (lib.lists.length cfg.lsm > 0) {
+      assertions = [
+        {
+          assertion = builtins.length (lib.filter (lib.hasPrefix "security=") config.boot.kernelParams) == 0;
+          message = "security parameter in boot.kernelParams cannot be used when security.lsm is used";
+        }
+      ];
 
-    boot.kernelParams = [
-      "lsm=${lib.concatStringsSep "," cfg.lsm}"
-    ];
-  };
+      boot.kernelParams = [
+        "lsm=${lib.concatStringsSep "," cfg.lsm}"
+      ];
+    })
+  ];
 }