feat(system): improve hardened.nix

Import from nixpkgs as basis and override settings that cause problems.
2023-04-14 22:18:38 +02:00 · 2023-04-14 22:18:38 +02:00 · 83acc14467
parent 20876cf317
commit 83acc14467
2 changed files with 6 additions and 19 deletions
--- a/hardware/base.nix
+++ b/hardware/base.nix
@ -4,7 +4,7 @@
  imports = [ ./planck.nix ];

  boot.supportedFilesystems = lib.mkDefault [ "btrfs" ];
-  boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
+  boot.kernelPackages = lib.mkOverride 0 pkgs.linuxPackages_latest;
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;

--- a/system/hardened.nix
+++ b/system/hardened.nix
@ -1,23 +1,10 @@
-{ config, pkgs, lib, ... }:
+{ config, modulesPath, pkgs, lib, ... }:

-# utilises some of the measures from
-# <nixpkgs/nixos/modules/profiles/hardened.nix>
 with lib; {
+  imports = [ "${modulesPath}/profiles/hardened.nix" ];
+
  boot.loader.systemd-boot.editor = mkDefault false;

-  nix.settings.allowed-users = mkDefault [ "@users" ];
-
-  # causes Firefox & Tor Browser segfaults
-  # environment.memoryAllocator.provider = mkDefault "scudo";
-  # environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";
-
-  # mullvad-daemon is blocked by one of these measures
-
-  # security.hideProcessInformation = mkDefault true;
-
-  # security.lockKernelModules = mkDefault true;
-
-  # security.protectKernelImage = mkDefault true;
-
-  security.apparmor.enable = mkDefault true;
+  # scudo causes Firefox & Tor Browser segfaults
+  environment.memoryAllocator.provider = "libc";
 }