From c8e73c959e09f8ca47e33392b6e37a5a683b4591 Mon Sep 17 00:00:00 2001
From: Erik Arvstedt <erik.arvstedt@gmail.com>
Date: Wed, 16 Dec 2020 18:57:57 +0100
Subject: [PATCH] fix 'hardened' profile for NixOS 20.09

The 'scudo' memory allocator set by the 'hardened' profile breaks some
services on 20.09.
The fix for NixOS unstable (https://github.com/NixOS/nixpkgs/pull/104052)
is ineffective on 20.09.

As a workaround, add a custom 'hardened' preset that uses the default allocator.
---
 examples/configuration.nix   |  7 +------
 modules/presets/hardened.nix | 14 ++++++++++++++
 2 files changed, 15 insertions(+), 6 deletions(-)
 create mode 100644 modules/presets/hardened.nix

diff --git a/examples/configuration.nix b/examples/configuration.nix
index 9c7e9b2..e42e357 100644
--- a/examples/configuration.nix
+++ b/examples/configuration.nix
@@ -9,8 +9,7 @@
     # FIXME: The hardened kernel profile improves security but
     # decreases performance by ~50%.
     # Turn it off when not needed.
-    # Source: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix
-    <nixpkgs/nixos/modules/profiles/hardened.nix>
+    <nix-bitcoin/modules/presets/hardened.nix>
 
     # FIXME: Uncomment next line to import your hardware configuration. If so,
     # add the hardware configuration file to the same directory as this file.
@@ -208,10 +207,6 @@
   # FIXME: Add custom options (like boot options, output of
   # nixos-generate-config, etc.):
 
-  # If the hardened profile is imported above, we need to explicitly allow
-  # user namespaces to enable sanboxed builds and services.
-  security.allowUserNamespaces = true;
-
   # This value determines the NixOS release with which your system is to be
   # compatible, in order to avoid breaking some software such as database
   # servers. You should change this only after NixOS release notes say you
diff --git a/modules/presets/hardened.nix b/modules/presets/hardened.nix
new file mode 100644
index 0000000..16833a6
--- /dev/null
+++ b/modules/presets/hardened.nix
@@ -0,0 +1,14 @@
+{
+  imports = [
+    # Source: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix
+    <nixpkgs/nixos/modules/profiles/hardened.nix>
+  ];
+
+  ## Reset some options set by the hardened profile
+
+  # Needed for sandboxed builds and services
+  security.allowUserNamespaces = true;
+
+  # The "scudo" allocator is broken on NixOS 20.09
+  environment.memoryAllocator.provider = "libc";
+}