From 182932de5fee888055453f28170ebef2648479e4 Mon Sep 17 00:00:00 2001
From: Infinidoge <infinidoge@inx.moe>
Date: Wed, 1 Dec 2021 20:37:22 -0500
Subject: [PATCH] modules/security: add hlissner-based security config

---
 modules/modules/boot.nix     |  4 +++-
 modules/modules/security.nix | 13 +++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)
 create mode 100644 modules/modules/security.nix

diff --git a/modules/modules/boot.nix b/modules/modules/boot.nix
index 4541cd4..e948a8f 100644
--- a/modules/modules/boot.nix
+++ b/modules/modules/boot.nix
@@ -45,8 +45,10 @@ in
       boot.loader = {
         systemd-boot = {
           enable = mkDefault true;
-          editor = false;
           consoleMode = "2";
+
+          # See desc in nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix
+          editor = false;
         };
 
         efi.canTouchEfiVariables = true;
diff --git a/modules/modules/security.nix b/modules/modules/security.nix
new file mode 100644
index 0000000..90c55ad
--- /dev/null
+++ b/modules/modules/security.nix
@@ -0,0 +1,13 @@
+{ config, lib, ... }:
+with lib;
+with lib.hlissner;
+{
+  # Security settings based on https://github.com/hlissner/dotfiles/blob/master/modules/security.nix
+  security.acme.acceptTerms = true;
+
+  boot = {
+    # Make tmp volatile, using tmpfs is speedy on SSD systems
+    tmpOnTmpfs = mkDefault true;
+    cleanTmpDir = mkDefault (!config.boot.tmpOnTmpfs);
+  };
+}