From aa955163da073e413bfb8418ee78b5a27bd1ac74 Mon Sep 17 00:00:00 2001
From: nathan mccarty <nathan@mccarty.io>
Date: Mon, 18 Jul 2022 00:10:09 -0400
Subject: [PATCH] feat: Make hardening use 5.18 kernel

---
 machines/levitation/configuration.nix |  2 +-
 modules/linux/base.nix                | 13 +++++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/machines/levitation/configuration.nix b/machines/levitation/configuration.nix
index a1bf065..593baa6 100644
--- a/machines/levitation/configuration.nix
+++ b/machines/levitation/configuration.nix
@@ -37,7 +37,7 @@
       isDesktop = true;
       setupGrub = true;
       nix.autoUpdate = false;
-      harden = false;
+      harden = true;
       windows = {
         enable = true;
         mount = {
diff --git a/modules/linux/base.nix b/modules/linux/base.nix
index 46e36e8..bc0b0ec 100644
--- a/modules/linux/base.nix
+++ b/modules/linux/base.nix
@@ -15,6 +15,13 @@ with lib;
         };
       })
     (mkIf config.nathan.config.harden (import "${inputs.nixpkgs}/nixos/modules/profiles/hardened.nix" attrs))
+    (mkIf config.nathan.config.harden {
+      boot.kernelPackages = pkgs.linuxPackages_5_18_hardened;
+      security = {
+        allowSimultaneousMultithreading = true;
+        unprivilegedUsernsClone = true;
+      };
+    })
     (mkIf ((! config.nathan.config.harden) && config.nathan.config.isDesktop) {
       # Use the zen kernel with muqss turned on
       boot.kernelPackages =
@@ -42,5 +49,11 @@ with lib;
           dates = "2:00";
         };
       })
+    # Systemd user service cludge
+    {
+      systemd.user.extraConfig = ''
+        DefaultEnvironment="PATH=/run/current-system/sw/bin:/etc/profiles/per-user/${config.nathan.config.user}/bin"
+      '';
+    }
   ];
 }