Here’s how this concept made it onto my radar. This is an obsessively paranoid NixOS config and accompanying article:
https://xeiaso.net/blog/paranoid-nixos-2021-07-18/
Also, for further reference:
There’s a whole subsection of nixpkgs that could be helpful for a hardening guide:
https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix
Also, there are a few articles walking us through hardening Nix:
https://dataswamp.org/~solene/2022-01-13-nixos-hardened.html
On NixOS Discourse:
https://discourse.nixos.org/t/hardening-systemd-services/17147/6