sourcephile / git / sourcephile-nix.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
mermet: fail2ban: add intranet on the ignoreIP
[sourcephile-nix.git] / nixos / defaults / security.nix
diff --git a/nixos/defaults/security.nix b/nixos/defaults/security.nix
index 7946eac6de9e5b9e08e60977acc88da2b2d9bc63..b7be60647b2fab5ec1c3d39843d1991754ab3b3a 100644 (file)
--- a/nixos/defaults/security.nix
+++ b/nixos/defaults/security.nix
@@ -1,12 +1,11 @@
 { inputs, pkgs, lib, config, ... }:
 {
-boot.kernelPackages = pkgs.linuxPackages_hardened;
+boot.kernelPackages = pkgs.linuxPackages_latest_hardened;
 #environment.memoryAllocator.provider = "libc";
 nix.allowedUsers = [ "@users" ];
 security.allowSimultaneousMultithreading = false;
 security.apparmor.enable = true;
 security.forcePageTableIsolation = true;
-security.hideProcessInformation = true;
 security.lockKernelModules = lib.mkDefault true;
 security.protectKernelImage = true;
 security.virtualisation.flushL1DataCache = "always";
@@ -121,7 +120,8 @@ boot.kernelParams = [
   "vsyscall=none"
   "debugfs=off"
   "oops=panic"
-  "module.sig_enforce=1"
+  # Disabled because zfs and wireguard modules are not signed
+  "module.sig_enforce=0"
   "lockdown=confidentiality"
   "mce=0"
   #"quiet"
NixOS configurations for Sourcephile's infrastructure