Use hardened kernel profile

2019-04-27 12:19:56 +00:00 · 2019-04-27 12:19:56 +00:00 · 2d20c1ae02
parent 66095871c6
commit 2d20c1ae02
1 changed files with 10 additions and 0 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -5,6 +5,12 @@
 { config, pkgs, ... }: {
  imports = [
    ./modules/nix-bitcoin.nix
+
+    # Use hardened kernel profile. See
+    # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix
+    # for the enabled options.
+     <nixpkgs/nixos/modules/profiles/hardened.nix>
+
    # FIXME: Uncomment next line to import your hardware configuration. If so,
    # add the hardware configuration file to the same directory as this file.
    # This is not needed when deploying to a virtual box.
@ -97,6 +103,10 @@
  # nixos-generate-config, etc.):


+  # If the hardened profile is imported above, we need to explicitly allow
+  # user namespaces to enable sanboxed builds and services.
+  security.allowUserNamespaces = true;
+
  # This value determines the NixOS release with which your system is to be
  # compatible, in order to avoid breaking some software such as database
  # servers. You should change this only after NixOS release notes say you