fix hardened kernel with nix sandbox

modules/security.nix

@@ -13,6 +13,12 @@
   # disable coredumps
   systemd.coredump.enable = false;
 
+  # The hardened kernel defaults kernel.unprivileged_userns_clone to 0, which
+  # prevents the Nix sandbox from mapping UIDs/GIDs. Without this, any derivation
+  # that calls `id` in its build phase (e.g. logrotate checkPhase) fails when not
+  # served from the binary cache. See https://github.com/NixOS/nixpkgs/issues/287194
+  security.unprivilegedUsernsClone = true;
+
   services = {
     dbus.implementation = "broker";
     /*