From 83acc14467c0de681d0bbce6524e044d40bddf43 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com>
Date: Fri, 14 Apr 2023 22:18:38 +0200
Subject: [PATCH] feat(system): improve hardened.nix

Import  from nixpkgs as basis and override settings that cause problems.
---
 hardware/base.nix   |  2 +-
 system/hardened.nix | 23 +++++------------------
 2 files changed, 6 insertions(+), 19 deletions(-)

diff --git a/hardware/base.nix b/hardware/base.nix
index e36cca0..913e626 100644
--- a/hardware/base.nix
+++ b/hardware/base.nix
@@ -4,7 +4,7 @@
   imports = [ ./planck.nix ];
 
   boot.supportedFilesystems = lib.mkDefault [ "btrfs" ];
-  boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
+  boot.kernelPackages = lib.mkOverride 0 pkgs.linuxPackages_latest;
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
diff --git a/system/hardened.nix b/system/hardened.nix
index bfe2b17..77e9b4e 100644
--- a/system/hardened.nix
+++ b/system/hardened.nix
@@ -1,23 +1,10 @@
-{ config, pkgs, lib, ... }:
+{ config, modulesPath, pkgs, lib, ... }:
 
-# utilises some of the measures from
-# <nixpkgs/nixos/modules/profiles/hardened.nix>
 with lib; {
+  imports = [ "${modulesPath}/profiles/hardened.nix" ];
+
   boot.loader.systemd-boot.editor = mkDefault false;
 
-  nix.settings.allowed-users = mkDefault [ "@users" ];
-
-  # causes Firefox & Tor Browser segfaults
-  # environment.memoryAllocator.provider = mkDefault "scudo";
-  # environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";
-
-  # mullvad-daemon is blocked by one of these measures
-
-  # security.hideProcessInformation = mkDefault true;
-
-  # security.lockKernelModules = mkDefault true;
-
-  # security.protectKernelImage = mkDefault true;
-
-  security.apparmor.enable = mkDefault true;
+  # scudo causes Firefox & Tor Browser segfaults
+  environment.memoryAllocator.provider = "libc";
 }