https://github.com/JeremiahSecrist/regula-nix

This project aims to help implement and enforce various security standards in NixOS. Regula meaning standards in latin.
https://github.com/JeremiahSecrist/regula-nix

cis-benchmark flakes nixos security-automation

Last synced: 10 months ago
JSON representation

This project aims to help implement and enforce various security standards in NixOS. Regula meaning standards in latin.

• Host: GitHub
• URL: https://github.com/JeremiahSecrist/regula-nix
• Owner: JeremiahSecrist
• License: mit
• Created: 2023-08-28T20:58:29.000Z (almost 3 years ago)
• Default Branch: main
• Last Pushed: 2025-03-10T03:45:22.000Z (over 1 year ago)
• Last Synced: 2025-03-10T03:46:56.276Z (over 1 year ago)
• Topics: cis-benchmark, flakes, nixos, security-automation
• Language: Nix
• Homepage: https://jeremiahsecrist.github.io/regula-nix/
• Size: 950 KB
• Stars: 33
• Watchers: 2
• Forks: 1
• Open Issues: 3
• Metadata Files:
  • Readme: README.md
  • License: LICENSE
  • Code of conduct: CODE_OF_CONDUCT.md
  • Security: SECURITY.md

Awesome Lists containing this project

• best-of-nix - GitHub - 23% open · ⏱️ 10.03.2025) (Security)

README

          
# Regula-nix

![Under Construction](https://img.shields.io/badge/Under_Construction-%E2%9A%A0%EF%B8%8F-%23E65100?style=for-the-badge&logo=warning&logoColor=%23BF360C&labelColor=%23E65100) [![Check flake](https://github.com/JeremiahSecrist/regula-nix/actions/workflows/checks.yml/badge.svg)](https://github.com/JeremiahSecrist/regula-nix/actions/workflows/checks.yml)

A NixOS module aimed at making provable security compliance accessible and maintainable.

Pushing compliance checking to the left.

## Core concepts

Regula-nix offers a key NixOS module that when incorporated makes defining tests and restrictions about ones own config possible.

## Examples

```nix

{

regula.rules = {

    sshdMustBeEnabled = {

        enable = true;

        eval.assertion.is = config.services.openssh.enable;

        build = {

            toplevel = {testData, failureContext}:{}; #a script that must return true when run against nixos output

            perPackage = {testData, failureContext }:{}; # derivation that must build successfully.

        };

        vm = {

            # This uses pytest with intergrations to the boot lifecycle of the system.

            testScript = ''

                with subtest("sshd must be enabled"):

                    machine.wait_for_unit("sshd.service")

                    machine.succeed("systemctl is-active -q sshd.service")

            '';

        };

        # extra info and data about this test that is available when relevant.

        meta = {

            # failureContext becomes a multiline string that is useful

            failureContext = {

                name = "openssh is not enabled";

            };

            # testData is available un alterd for use in relevant functions.

            testData = {

                example = "foo";

            };

        };

    };

};

}

```

## Star History