feat: fs hardening

thanks poz :3
sioodmy · Jan 11, 2025 · a9b1da6 · a9b1da6
1 parent 0a5a6e5
commit a9b1da6
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/system/security/default.nix b/system/security/default.nix
@@ -18,6 +18,13 @@
       packages = [pkgs.apparmor-profiles];
     };
   };
+  # credits: poz
+  fileSystems = let
+    defaults = ["nodev" "nosuid" "noexec"];
+  in {
+    "/boot".options = defaults;
+    "/var/log".options = defaults;
+  };
   boot = {
     blacklistedKernelModules = [
       # Obscure network protocols