From eb5d0bb0937f51f10a27c43f601b4b83189d27f4 Mon Sep 17 00:00:00 2001
From: Simon Gardling <titaniumtown@proton.me>
Date: Sun, 18 Jan 2026 02:29:13 -0500
Subject: [PATCH] security things

---
 configuration.nix    |  1 +
 modules/security.nix | 30 ++++++++++++++++++++++++++++++
 2 files changed, 31 insertions(+)
 create mode 100644 modules/security.nix

diff --git a/configuration.nix b/configuration.nix
index ae71767..e9d1265 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -18,6 +18,7 @@
     ./modules/age-secrets.nix
     ./modules/secureboot.nix
     ./modules/no-rgb.nix
+    ./modules/security.nix
 
     ./services/postgresql.nix
     ./services/jellyfin.nix
diff --git a/modules/security.nix b/modules/security.nix
new file mode 100644
index 0000000..d4d057b
--- /dev/null
+++ b/modules/security.nix
@@ -0,0 +1,30 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  # memory allocator
+  # BREAKS REDIS-IMMICH
+  # environment.memoryAllocator.provider = "graphene-hardened";
+
+  # disable coredumps
+  systemd.coredump.enable = false;
+
+  services = {
+    dbus.implementation = "broker";
+    /*
+      logrotate.enable = true;
+      journald = {
+        storage = "volatile"; # Store logs in memory
+        upload.enable = false; # Disable remote log upload (the default)
+        extraConfig = ''
+          SystemMaxUse=500M
+          SystemMaxFileSize=50M
+        '';
+      };
+    */
+  };
+}