From 3a950982804b36811a773d2a1b65e6bc2ca9a2c7 Mon Sep 17 00:00:00 2001
From: Felix Tenley <dev@felschr.com>
Date: Fri, 14 Aug 2020 23:19:21 +0200
Subject: [PATCH] feat: add hardened module

---
 hardware/base.nix   |  1 -
 system/default.nix  |  1 +
 system/hardened.nix | 24 ++++++++++++++++++++++++
 3 files changed, 25 insertions(+), 1 deletion(-)
 create mode 100644 system/hardened.nix

diff --git a/hardware/base.nix b/hardware/base.nix
index 0d76bd8..4042b49 100644
--- a/hardware/base.nix
+++ b/hardware/base.nix
@@ -14,7 +14,6 @@
   boot.supportedFilesystems = [ "ntfs" ];
   boot.kernelPackages = pkgs.linuxPackages_latest;
   boot.loader.systemd-boot.enable = true;
-  boot.loader.systemd-boot.editor = false;
   boot.loader.efi.canTouchEfiVariables = true;
 
   services.smartd.enable = true;
diff --git a/system/default.nix b/system/default.nix
index 81a193a..60dd988 100644
--- a/system/default.nix
+++ b/system/default.nix
@@ -2,6 +2,7 @@
 
 {
   imports = [
+    ./hardened.nix
     ./i18n.nix
     ./nix.nix
     ./vpn.nix
diff --git a/system/hardened.nix b/system/hardened.nix
new file mode 100644
index 0000000..920ad9d
--- /dev/null
+++ b/system/hardened.nix
@@ -0,0 +1,24 @@
+{ config, pkgs, lib, ... }:
+
+# utilises some of the measures from
+# <nixpkgs/nixos/modules/profiles/hardened.nix>
+with lib;
+{
+  boot.loader.systemd-boot.editor = mkDefault false;
+
+  nix.allowedUsers = mkDefault [ "@users" ];
+
+  # causes Firefox & Tor Browser segfaults
+  # environment.memoryAllocator.provider = mkDefault "scudo";
+  # environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";
+
+  # mullvad-daemon is blocked by one of these measures
+
+  # security.hideProcessInformation = mkDefault true;
+
+  # security.lockKernelModules = mkDefault true;
+
+  # security.protectKernelImage = mkDefault true;
+
+  security.apparmor.enable = mkDefault true;
+}