From a9b1da6a155ff4868257b4d39a34b78b4fb24e6e Mon Sep 17 00:00:00 2001
From: sioodmy <hello@sioodmy.dev>
Date: Sat, 11 Jan 2025 21:26:49 +0100
Subject: [PATCH] feat: fs hardening

thanks poz :3
---
 system/security/default.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/system/security/default.nix b/system/security/default.nix
index b64158cd..8fb9e2c8 100644
--- a/system/security/default.nix
+++ b/system/security/default.nix
@@ -18,6 +18,13 @@
       packages = [pkgs.apparmor-profiles];
     };
   };
+  # credits: poz
+  fileSystems = let
+    defaults = ["nodev" "nosuid" "noexec"];
+  in {
+    "/boot".options = defaults;
+    "/var/log".options = defaults;
+  };
   boot = {
     blacklistedKernelModules = [
       # Obscure network protocols