As others have suggested, QubesOS is a good one to have on your list. I’d probably use if it weren’t for its crippling effects on battery life.
Immutable distros are much friendlier to laptops and, as I understand, update in a way not unlike an Android device would. But I insist on some system-level customizations and I haven’t been motivated to learn how such customizations can be made to survive updates and the like.
I’ve also been eyeing NixOS, but with everything up and running on Debian smoothly for a few years, I haven’t found the excuse to switch yet. Along with customizing it to be a comfortable daily driver, I’ve also been trying to see how secure I can make my system as a fun exercise. While it’s not immutable, Debian is a good base considering the team behind it and how much is riding on its security, including internet-facing servers.
What I’ve done to harden Debian, if anyone’s interested:
Apply Madaidan’s hardening guide judiciously. Roughly 2/3 of the measures made sense for my use case and it’s almost unnoticeable in my daily workflow.
Have as few closed-source components as possible. In my case, intel-microcode is the only non-free package on my system.
Install the hardening-runtime package, but remove its included slub_debug=FPZ kernel argument, which in recent kernels forces less secure unhashed pointers.
XFCE is still not fully ported to Wayland, so I use slock, the X11 screen locker with fewest lines of code.
Install the ufw firewall and default to deny
Enable unattended-upgrades
Everything including the /boot partition is encrypted. I have built coreboot with just the GRUB2 payload, which I configured to immediately bring up the LUKS password prompt. All other options are behind a password.
I also put together and maintain a ~16 GB clean system image of Debian set up exactly to my taste, which I clone to my machines as needed. This probably wouldn’t have been a thing if I knew about NixOS earlier, and it certainly hasn’t helped me switch over either.
As others have suggested, QubesOS is a good one to have on your list. I’d probably use if it weren’t for its crippling effects on battery life.
Immutable distros are much friendlier to laptops and, as I understand, update in a way not unlike an Android device would. But I insist on some system-level customizations and I haven’t been motivated to learn how such customizations can be made to survive updates and the like.
I’ve also been eyeing NixOS, but with everything up and running on Debian smoothly for a few years, I haven’t found the excuse to switch yet. Along with customizing it to be a comfortable daily driver, I’ve also been trying to see how secure I can make my system as a fun exercise. While it’s not immutable, Debian is a good base considering the team behind it and how much is riding on its security, including internet-facing servers.
What I’ve done to harden Debian, if anyone’s interested:
slub_debug=FPZkernel argument, which in recent kernels forces less secure unhashed pointers.I also put together and maintain a ~16 GB clean system image of Debian set up exactly to my taste, which I clone to my machines as needed. This probably wouldn’t have been a thing if I knew about NixOS earlier, and it certainly hasn’t helped me switch over either.