Here’s how this concept made it into my radar. This is an obsessively paranoid NixOS config and accompanying article:

xeiaso.net/blog/paranoid-nixos-2021-07-18/

Also, for further reference:

There’s a whole subsection of nixpkgs that could be helpful for a gardening guide:

github.com/NixOS/nixpkgs/blob/…/hardened.nix

Also, there are a few articles walking us through hardening Nix:

dataswamp.org/…/2022-01-13-nixos-hardened.html

On NixOS Discourse:

discourse.nixos.org/t/…/6