From baeb1e5e60b4602a0800c2813266dc03fa1c579e Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Fri, 8 May 2026 16:17:23 +0900
Subject: [PATCH] base/hardening: move hardening options from base/default

---
 base/default.nix   | 2 --
 base/hardening.nix | 3 +++
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/base/default.nix b/base/default.nix
index 83a6be7..031f5d0 100644
--- a/base/default.nix
+++ b/base/default.nix
@@ -71,8 +71,6 @@
     fi
   '';
 
-  # security.lockKernelModules = true;
-  security.protectKernelImage = true;
   security.sudo.execWheelOnly = true;
   security.sudo.extraConfig = ''
     Defaults lecture = never
diff --git a/base/hardening.nix b/base/hardening.nix
index 9e163f3..588b8fd 100644
--- a/base/hardening.nix
+++ b/base/hardening.nix
@@ -58,4 +58,7 @@
     "nfc"
     "soundwire"
   ];
+
+  # security.lockKernelModules = true;
+  security.protectKernelImage = true;
 }