https://catinashell.de/tags/security/ Recent content in Security on Cat in a Shell Hugo en-us Fri, 26 Jun 2026 15:15:56 +0200 https://catinashell.de/posts/nix-impermanence-noexec-root/ Fri, 26 Jun 2026 15:15:56 +0200 https://catinashell.de/posts/nix-impermanence-noexec-root/ <p>An impermanent NixOS Setup is something, I personally I really enjoy, as I don&rsquo;t like preserving everything on my system forever &hellip; Persistence Opt-In is the best approach.</p> <p>And recently I came across a nice Blog about hardening NixOS from <a href="https://xeiaso.net/blog/paranoid-nixos-2021-07-18/" target="_blank" rel="noopener">Xe Iaso&rsquo;s blog</a>. And well one thing especially seemed cool, so I wanted to share it.</p> <h2 id="noexec-for-the-root-fs">NoExec for the Root FS</h2> <p>At the bottom of the blog is a part about having <code>noexec</code> for the root fs (which is a tmpfs anyway). Since all programs in NixOS life anyway in <code>/nix/store</code> and <code>/nix</code> is its own partition in the typical Impermancence Setup (I won&rsquo;t talk about how to this now, as there are already many good blogs discussing this, and showing how it&rsquo;s done; if you want to see my own setup, check <a href="https://codeberg.org/slayernominee/mynixos" target="_blank" rel="noopener">my Codeberg out</a>). So only the <code>/nix</code> parititon needs to be mounted without <code>noexec</code>, the rest can be <mark><code>noexec</code></mark>.</p>