From 8251040b04686ff0d26d9b1b8e681b4c0e7b9143 Mon Sep 17 00:00:00 2001
From: reidlab <reidlab325@gmail.com>
Date: Wed, 27 Mar 2024 23:10:34 -0700
Subject: [PATCH] security.nix adjustments...

---
 modules/security.nix | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/modules/security.nix b/modules/security.nix
index c9a2d1d..1fdc7bc 100755
--- a/modules/security.nix
+++ b/modules/security.nix
@@ -5,7 +5,7 @@ let
   cfg = config.modules.security;
 in {
   options.modules.security = {
-    useDoas = mkEnableOption "use doas instead of sudo";
+    useDoas = mkEnableOption "use opendoas instead of sudo";
   };
 
   config = mkIf cfg.enable {
@@ -51,10 +51,14 @@ in {
       security = {
         # prevents replacing the kernel without a reboot
       	protectKernelImage = true;
-        # allows unprivileged processes to speak to privileged processes (ex. nmtui, reboot)
+      	# rtkit allows unprivileged processes to use realtime scheduling
+        # polkit allows unprivileged processes to speak to privileged processes (ex. nmtui, reboot)
       	rtkit.enable = true;
         polkit.enable = true;
       };
+
+      # while this is on by default, i am going to explicitly specify this
+      networking.firewall.enable = true;
     } // (mkIf cfg.useDoas {
     	security.sudo.enable = false;
     	security.doas.enable = true;