nixos-config/system/hardened.nix

{ config, pkgs, lib, ... }:

# utilises some of the measures from
# <nixpkgs/nixos/modules/profiles/hardened.nix>
with lib; {
  boot.loader.systemd-boot.editor = mkDefault false;

  nix.settings.allowed-users = mkDefault [ "@users" ];

  # causes Firefox & Tor Browser segfaults
  # environment.memoryAllocator.provider = mkDefault "scudo";
  # environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";

  # mullvad-daemon is blocked by one of these measures

  # security.hideProcessInformation = mkDefault true;

  # security.lockKernelModules = mkDefault true;

  # security.protectKernelImage = mkDefault true;

  security.apparmor.enable = mkDefault true;
}
feat: add hardened module 2020-08-14 23:19:21 +02:00			`{ config, pkgs, lib, ... }:`

			`# utilises some of the measures from`
			`# <nixpkgs/nixos/modules/profiles/hardened.nix>`
style: format nix files 2020-09-23 13:19:19 +02:00			`with lib; {`
feat: add hardened module 2020-08-14 23:19:21 +02:00			`boot.loader.systemd-boot.editor = mkDefault false;`

chore(flake): update inputs 2022-01-31 22:49:52 +01:00			`nix.settings.allowed-users = mkDefault [ "@users" ];`
feat: add hardened module 2020-08-14 23:19:21 +02:00
			`# causes Firefox & Tor Browser segfaults`
			`# environment.memoryAllocator.provider = mkDefault "scudo";`
			`# environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";`

			`# mullvad-daemon is blocked by one of these measures`

			`# security.hideProcessInformation = mkDefault true;`

			`# security.lockKernelModules = mkDefault true;`

			`# security.protectKernelImage = mkDefault true;`

			`security.apparmor.enable = mkDefault true;`
			`}`