2 files changed, 8 insertions, 0 deletions

diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix
index d712fb2514b1..61e871bcaca5 100644
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@@ -12,6 +12,8 @@ with lib;
 
   boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened;
 
+  nix.allowedUsers = mkDefault [ "@users" ];
+
   security.hideProcessInformation = mkDefault true;
 
   security.lockKernelModules = mkDefault true;
diff --git a/nixos/tests/hardened.nix b/nixos/tests/hardened.nix
index bc279e489f91..e10a6363164a 100644
--- a/nixos/tests/hardened.nix
+++ b/nixos/tests/hardened.nix
@@ -64,5 +64,11 @@ import ./make-test.nix ({ pkgs, ...} : {
         $machine->succeed("mount /dev/disk/by-label/EFISYS /efi");
         $machine->succeed("mountpoint -q /efi"); # now mounted
       };
+
+      # Test Nix dæmon usage
+      subtest "nix-daemon", sub {
+        $machine->fail("su -l nobody -s /bin/sh -c 'nix ping-store'");
+        $machine->succeed("su -l alice -c 'nix ping-store'") =~ "OK";
+      };
     '';
 })