hardened

2020-02-16 09:23:31 +00:00 · 2020-02-16 09:23:31 +00:00 · c8102cafbe
commit c8102cafbe
parent 4551b20c89
2 changed files with 3 additions and 1 deletions
--- a/nixos/boot.nix
+++ b/nixos/boot.nix
@ -11,7 +11,6 @@
      "kernel.dmesg_restrict" = true;
      "kernel.unprivileged_bpf_disabled" = true;
      "kernel.unprivileged_userns_clone" = 1;
-      "net.core.bpf_jit_enable" = pkgs.lib.mkDefault false;
      "net.core.bpf_jit_harden" = true;
    };
    loader.grub = {
--- a/nixos/common.nix
+++ b/nixos/common.nix
@ -6,6 +6,7 @@ in
  {
    imports =
      [
+        <nixpkgs/nixos/modules/profiles/hardened.nix>
        ./vscode.nix
        ./syncthing.nix
        ./gsconnect.nix
@ -14,6 +15,8 @@ in
        ./vim.nix
      ];

+      security.allowUserNamespaces = true;
+
      nixpkgs.config = {
        allowUnfree = true;
        packageOverrides = pkgs: {