feat: Make hardening use 5.18 kernel

2022-07-18 00:10:09 -04:00 · 2022-07-18 00:10:09 -04:00 · aa955163da
parent e505371006
commit aa955163da
2 changed files with 14 additions and 1 deletions
--- a/machines/levitation/configuration.nix
+++ b/machines/levitation/configuration.nix
@ -37,7 +37,7 @@
      isDesktop = true;
      setupGrub = true;
      nix.autoUpdate = false;
-      harden = false;
+      harden = true;
      windows = {
        enable = true;
        mount = {
--- a/modules/linux/base.nix
+++ b/modules/linux/base.nix
@ -15,6 +15,13 @@ with lib;
        };
      })
    (mkIf config.nathan.config.harden (import "${inputs.nixpkgs}/nixos/modules/profiles/hardened.nix" attrs))
+    (mkIf config.nathan.config.harden {
+      boot.kernelPackages = pkgs.linuxPackages_5_18_hardened;
+      security = {
+        allowSimultaneousMultithreading = true;
+        unprivilegedUsernsClone = true;
+      };
+    })
    (mkIf ((! config.nathan.config.harden) && config.nathan.config.isDesktop) {
      # Use the zen kernel with muqss turned on
      boot.kernelPackages =
@ -42,5 +49,11 @@ with lib;
          dates = "2:00";
        };
      })
+    # Systemd user service cludge
+    {
+      systemd.user.extraConfig = ''
+        DefaultEnvironment="PATH=/run/current-system/sw/bin:/etc/profiles/per-user/${config.nathan.config.user}/bin"
+      '';
+    }
  ];
 }