feat: conservative hardening options

configuration.nix

@@ -2,6 +2,7 @@
   config,
   pkgs,
   lib,
+  modulesPath,
   ...
 }:
 let
@@ -46,6 +47,7 @@ in
     ./webserver/memcached.nix
     ./postgresql/postgresql.nix
     # ./resources/limits.nix
+    "${modulesPath}/profiles/hardened.nix"
   ];
 
   environment.etc."sp-fetch-remote-module.nix" = {
@@ -216,9 +218,6 @@ in
     (import ./overlay.nix config.nixpkgs.hostPlatform.system)
   ];
   services.journald.extraConfig = "SystemMaxUse=500M";
-  boot.kernel.sysctl = {
-    "net.ipv4.ip_forward" = 1; # TODO why is it here by default, for VPN only?
-  };
   # TODO must be configurable and determined at nixos-infect stage
   swapDevices = [
     {
@@ -227,12 +226,24 @@ in
       size = 2048;
     }
   ];
-  # TODO why is sudo needed?
-  security = {
-    sudo = {
-      enable = true;
-    };
-  };
+
   systemd.enableEmergencyMode = false;
   systemd.coredump.enable = false;
+
+  environment.memoryAllocator.provider = "libc"; # Scudo has problems with PHP, which may cause PHP to segfault...
+  
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = 1; # TODO why is it here by default, for VPN only?
+    "kernel.core_pattern" = "|${pkgs.coreutils}/bin/false"; # Ignore coredumps
+    "kernel.yama.ptrace_scope" = "3"; # Disable ptrace()
+    "kernel.io_uring_disabled" = "2"; # io_uring has huge attack surface and is not used by any module in SelfPrivacy.
+
+    "dev.tty.ldisc_autoload" = "0";
+
+    "kernel.kexec_load_disabled" = "1";
+    "kernel.unprivileged_bpf_disabled" = "1"; # Only systemd uses eBPF.
+    "kernel.kptr_restrict" = "2"; # Hide kernel pointer locations.
+
+    "vm.unprivileged_userfaultfd" = "0"; # Reduce attack surface
+  };
 }