From be9cadd49f079f3e4a6cdd8bdee463436a21723b Mon Sep 17 00:00:00 2001
From: tzlil <tzlils@protonmail.com>
Date: Sun, 21 May 2023 19:20:18 +0300
Subject: fix nixinate, add mullvad firejail

---
 profiles/network.nix  | 4 ++--
 profiles/security.nix | 4 +++-
 2 files changed, 5 insertions(+), 3 deletions(-)

(limited to 'profiles')

diff --git a/profiles/network.nix b/profiles/network.nix
index c959824..461106f 100644
--- a/profiles/network.nix
+++ b/profiles/network.nix
@@ -17,7 +17,7 @@
       networkmanager.enable = true;
       useDHCP = false;
       nameservers = ["127.0.0.1" "::1"];
-      # networkmanager.dns = "none";
+      networkmanager.dns = "none";
       extraHosts = ''
         100.99.246.128 pc
         100.105.242.70 phone
@@ -49,7 +49,7 @@
         };
 
         # You can choose a specific set of servers from https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
-        server_names = []; # tailscale magicdns
+        # server_names = [ ... ];
       };
     };
 
diff --git a/profiles/security.nix b/profiles/security.nix
index 9ae5cef..63c5fe4 100644
--- a/profiles/security.nix
+++ b/profiles/security.nix
@@ -7,16 +7,18 @@
 }: {
   imports = [];
   config = {
+    programs.firejail.enable = true;
     security.auditd.enable = true;
     security.audit.enable = true;
     security.audit.rules = [
       "-a exit,always -F arch=b64 -S execve"
     ];
 
+    # https://source.android.com/docs/security/test/scudo
     environment.memoryAllocator.provider = "scudo";
     environment.variables.SCUDO_OPTIONS = "ZeroContents=1";
 
-    # security.lockKernelModules = true;
+    security.lockKernelModules = true;
     security.protectKernelImage = true;
     security.allowSimultaneousMultithreading = false;
     security.forcePageTableIsolation = true;
-- 
cgit 1.4.1