From d5c5ac2f0cf1924868cdabfae5cb72a37a5f3714 Mon Sep 17 00:00:00 2001
From: Gabriel Arazas <foodogsquared@foodogsquared.one>
Date: Mon, 22 Jan 2024 12:21:37 +0800
Subject: [PATCH] nixos/profiles/server: remove `hardened-config` submodule

We're also moving it to a profiles module ala-nixpkgs.
---
 configs/nixos/plover/default.nix           |  1 -
 modules/nixos/_private/profiles/server.nix | 27 ----------------------
 modules/nixos/profiles/hardened.nix        | 18 +++++++++++++++
 3 files changed, 18 insertions(+), 28 deletions(-)
 create mode 100644 modules/nixos/profiles/hardened.nix

diff --git a/configs/nixos/plover/default.nix b/configs/nixos/plover/default.nix
index b2bdc1e7..b76bf0ae 100644
--- a/configs/nixos/plover/default.nix
+++ b/configs/nixos/plover/default.nix
@@ -55,7 +55,6 @@
 
   profiles.server = {
     enable = true;
-    hardened-config.enable = true;
     cleanup.enable = true;
   };
 
diff --git a/modules/nixos/_private/profiles/server.nix b/modules/nixos/_private/profiles/server.nix
index 07b322b6..6e93ad2f 100644
--- a/modules/nixos/_private/profiles/server.nix
+++ b/modules/nixos/_private/profiles/server.nix
@@ -9,7 +9,6 @@ in
 {
   options.profiles.server = {
     enable = lib.mkEnableOption "server-related settings";
-    hardened-config.enable = lib.mkEnableOption "additional hardened configuration for NixOS systems";
     cleanup.enable = lib.mkEnableOption "cleanup service for the system";
     auto-upgrade.enable = lib.mkEnableOption "unattended system upgrades";
   };
@@ -70,32 +69,6 @@ in
       i18n.supportedLocales = lib.mkForce [ "en_US.UTF-8/UTF-8" ];
     })
 
-    # Most of the things here are based from the Securing Debian document.
-    (lib.mkIf cfg.hardened-config.enable {
-      # Don't replace it mid-way! DON'T TURN LEFT!!!!
-      security.protectKernelImage = true;
-
-      # Hardened config equals hardened kernel.
-      boot.kernelPackages = lib.mkDefault pkgs.linuxKernel.packages.linux_6_6_hardened;
-
-      # Be STRICT! MUAHAHAHAHA!!!!
-      services.fail2ban = {
-        enable = true;
-        bantime-increment = {
-          enable = true;
-          factor = "4";
-          maxtime = "24h";
-          overalljails = true;
-        };
-        extraPackages = with pkgs; [ ipset ];
-      };
-
-      boot.kernel.sysctl = {
-        # Disable system console entirely. We don't need it so get rid of it.
-        "kernel.sysrq" = 0;
-      };
-    })
-
     (lib.mkIf cfg.auto-upgrade.enable {
       system.autoUpgrade = {
         enable = true;
diff --git a/modules/nixos/profiles/hardened.nix b/modules/nixos/profiles/hardened.nix
new file mode 100644
index 00000000..f24d9c0b
--- /dev/null
+++ b/modules/nixos/profiles/hardened.nix
@@ -0,0 +1,18 @@
+# A extended hardened configuration from nixpkgs for desktop and server
+# systems.
+{ pkgs, lib, modulesPath, ... }:
+
+{
+  imports = [
+    "${modulesPath}/profiles/hardened.nix"
+  ];
+
+  # Don't replace it mid-way! DON'T TURN LEFT!!!!
+  security.protectKernelImage = true;
+
+  # Hardened config equals hardened kernel.
+  boot.kernelPackages = lib.mkOverride 500 pkgs.linuxKernel.packages.linux_6_6_hardened;
+
+  # Disable system console entirely. We don't need it so get rid of it.
+  boot.kernel.sysctl."kernel.sysrq" = 0;
+}