nix
/
System
2
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: Make hardening use 5.18 kernel

This commit is contained in:
nathan mccarty 2022-07-18 00:10:09 -04:00
parent e505371006
commit aa955163da
Signed by: thatonelutenist
GPG Key ID: D70DA3DD4D1E9F96
2 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
machines/levitation/configuration.nix
View File

@ -37,7 +37,7 @@
isDesktop = true; isDesktop = true;
setupGrub = true; setupGrub = true;
nix.autoUpdate = false; nix.autoUpdate = false;
harden = false; harden = true;
windows = { windows = {
enable = true; enable = true;
mount = { mount = {

13
modules/linux/base.nix
View File

@ -15,6 +15,13 @@ with lib;
}; };
}) })
(mkIf config.nathan.config.harden (import "${inputs.nixpkgs}/nixos/modules/profiles/hardened.nix" attrs)) (mkIf config.nathan.config.harden (import "${inputs.nixpkgs}/nixos/modules/profiles/hardened.nix" attrs))
(mkIf config.nathan.config.harden {
boot.kernelPackages = pkgs.linuxPackages_5_18_hardened;
security = {
allowSimultaneousMultithreading = true;
unprivilegedUsernsClone = true;
};
})
(mkIf ((! config.nathan.config.harden) && config.nathan.config.isDesktop) { (mkIf ((! config.nathan.config.harden) && config.nathan.config.isDesktop) {
# Use the zen kernel with muqss turned on # Use the zen kernel with muqss turned on
boot.kernelPackages = boot.kernelPackages =
@ -42,5 +49,11 @@ with lib;
dates = "2:00"; dates = "2:00";
}; };
}) })
# Systemd user service cludge
{
systemd.user.extraConfig = ''
DefaultEnvironment="PATH=/run/current-system/sw/bin:/etc/profiles/per-user/${config.nathan.config.user}/bin"
'';
}
]; ];
} }