summary refs log tree commit diff
path: root/profiles
diff options
context:
space:
mode:
Diffstat (limited to 'profiles')
-rw-r--r--profiles/network.nix4
-rw-r--r--profiles/security.nix4
2 files changed, 5 insertions, 3 deletions
diff --git a/profiles/network.nix b/profiles/network.nix
index c959824..461106f 100644
--- a/profiles/network.nix
+++ b/profiles/network.nix
@@ -17,7 +17,7 @@
       networkmanager.enable = true;
       useDHCP = false;
       nameservers = ["127.0.0.1" "::1"];
-      # networkmanager.dns = "none";
+      networkmanager.dns = "none";
       extraHosts = ''
         100.99.246.128 pc
         100.105.242.70 phone
@@ -49,7 +49,7 @@
         };
 
         # You can choose a specific set of servers from https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
-        server_names = []; # tailscale magicdns
+        # server_names = [ ... ];
       };
     };
 
diff --git a/profiles/security.nix b/profiles/security.nix
index 9ae5cef..63c5fe4 100644
--- a/profiles/security.nix
+++ b/profiles/security.nix
@@ -7,16 +7,18 @@
 }: {
   imports = [];
   config = {
+    programs.firejail.enable = true;
     security.auditd.enable = true;
     security.audit.enable = true;
     security.audit.rules = [
       "-a exit,always -F arch=b64 -S execve"
     ];
 
+    # https://source.android.com/docs/security/test/scudo
     environment.memoryAllocator.provider = "scudo";
     environment.variables.SCUDO_OPTIONS = "ZeroContents=1";
 
-    # security.lockKernelModules = true;
+    security.lockKernelModules = true;
     security.protectKernelImage = true;
     security.allowSimultaneousMultithreading = false;
     security.forcePageTableIsolation = true;