The arch wiki has some stuff on kernel hardening. The Gentoo wiki has a lot of hardening stuff and is deeper since you can set your own compile flags.

Do you mean hardening the kernel or hardening user space?

For hardening the kernel there’s patch-sets out there that add in extra measures like address space randomization for processes and restricting some system calls. Arch uses this kernel. Also look at Gentoo’s kernel ebuild which has a hardened use flag . I don’t really understand the reasoning behind everything, and it will have a performance penalty. You could probably easily make a new package definition to build any hardened kernel patches you want.

Linux also has an optional SELinux system that can be enabled during compilation. It implements an ACL on top of the regular Unix style owner/group permissions in the filesystem. Guix has some support for it, but barely anyone uses SELinux (Arch doesn’t even support it), although Gentoo does due to the flexibility of portage. So enabling SELinux on Guix is going into a niche of a niche with little support, but it’s pretty interesting to learn about.

For user space the usual advice is try to run as few programs as possible as root. For example the default set of %desktop-services has a lot of extra services you probably don’t need like Avahi.

Going deeper into impracticality, if you really really want you can change the compilation options for programs to add security measures like position independent code, stack canaries, extra control flow protection, address sanitizers, but these will all have performance penalties. You can take inspiration from how Gentoos hadened toolchain does it. These modifications are practically only possible on source based distros like Gentoo, Nix, and Guix since you need to recompile the program to add these measures in. You can probably add to packages fairly easily with a package transform like options->transformation by adding -fstack-protector-strong -fstack-clash-protection -fcf-protection=fullto the CFLAGS or something.

start with the configuration template of a “bare-bone” system, you can find that on usb installation or documentation. Figure out what you want as root and configure only that.

Leave the rest for “home configuration” of a user.