diff --git a/modules/presets/secure-node.nix b/modules/presets/secure-node.nix
index 7933487..133f649 100644
--- a/modules/presets/secure-node.nix
+++ b/modules/presets/secure-node.nix
@@ -42,8 +42,7 @@ in {
networking.firewall.enable = true;
- # hideProcessInformation even if hardened kernel profile is disabled
- security.hideProcessInformation = true;
+ nix-bitcoin.security.hideProcessInformation = true;
# Tor
services.tor = {
diff --git a/modules/security.nix b/modules/security.nix
index f4d2c78..cd5ad4e 100644
--- a/modules/security.nix
+++ b/modules/security.nix
@@ -1,33 +1,39 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, options, ... }:
{
- # Only show the current user's processes in /proc.
- # Users with group 'proc' can still access all processes.
- security.hideProcessInformation = true;
+ options = {
+ nix-bitcoin.security.hideProcessInformation = options.security.hideProcessInformation;
+ };
- # This mitigates a systemd security issue leaking (sub)process
- # command lines.
- # Only allow users with group 'proc' to retrieve systemd unit information like
- # cgroup paths (i.e. (sub)process command lines) via D-Bus.
- # This D-Bus call is used by `systemctl status`.
- services.dbus.packages = lib.mkAfter [ # Apply at the end to override the default policy
- (pkgs.writeTextDir "etc/dbus-1/system.d/dbus.conf" ''
-
-
-
-
-
-
-
-
- '')
- ];
+ config = lib.mkIf config.nix-bitcoin.security.hideProcessInformation {
+ # Only show the current user's processes in /proc.
+ # Users with group 'proc' can still access all processes.
+ security.hideProcessInformation = true;
+
+ # This mitigates a systemd security issue leaking (sub)process
+ # command lines.
+ # Only allow users with group 'proc' to retrieve systemd unit information like
+ # cgroup paths (i.e. (sub)process command lines) via D-Bus.
+ # This D-Bus call is used by `systemctl status`.
+ services.dbus.packages = lib.mkAfter [ # Apply at the end to override the default policy
+ (pkgs.writeTextDir "etc/dbus-1/system.d/dbus.conf" ''
+
+
+
+
+
+
+
+
+ '')
+ ];
+ };
}