diff --git a/examples/configuration.nix b/examples/configuration.nix index 9c7e9b2..e42e357 100644 --- a/examples/configuration.nix +++ b/examples/configuration.nix @@ -9,8 +9,7 @@ # FIXME: The hardened kernel profile improves security but # decreases performance by ~50%. # Turn it off when not needed. - # Source: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix - + # FIXME: Uncomment next line to import your hardware configuration. If so, # add the hardware configuration file to the same directory as this file. @@ -208,10 +207,6 @@ # FIXME: Add custom options (like boot options, output of # nixos-generate-config, etc.): - # If the hardened profile is imported above, we need to explicitly allow - # user namespaces to enable sanboxed builds and services. - security.allowUserNamespaces = true; - # This value determines the NixOS release with which your system is to be # compatible, in order to avoid breaking some software such as database # servers. You should change this only after NixOS release notes say you diff --git a/modules/presets/hardened.nix b/modules/presets/hardened.nix new file mode 100644 index 0000000..16833a6 --- /dev/null +++ b/modules/presets/hardened.nix @@ -0,0 +1,14 @@ +{ + imports = [ + # Source: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix + + ]; + + ## Reset some options set by the hardened profile + + # Needed for sandboxed builds and services + security.allowUserNamespaces = true; + + # The "scudo" allocator is broken on NixOS 20.09 + environment.memoryAllocator.provider = "libc"; +}