harden: no extraneous permissions on /root, /var and /etc

hosts/default/configuration.nix

@@ -5,6 +5,7 @@
     [
       ./hardware-configuration.nix
       ./disable-broken-wifi-card.nix
+      ./filesystem-hardening.nix
     ];
 
   boot = {

hosts/default/filesystem-hardening.nix

@@ -0,0 +1,32 @@
+{
+  fileSystems = {
+    "/root" = {
+      device = "/root";
+      options = [
+        "bind"
+        "nosuid"
+        "noexec"
+        "nodev"
+      ];
+    };
+
+    "/var" = {
+      device = "/var";
+      options = [
+        "bind"
+        "nosuid"
+        "noexec"
+        "nodev"
+      ];
+    };
+
+    "/etc" = {
+      device = "/etc";
+      options = [
+        "bind"
+        "nosuid"
+        "nodev"
+      ];
+    };
+  };
+}