nixos/ananicy: disable ananicy-cpp's BPF on hardened kernels

nixos/modules/services/misc/ananicy.nix

@@ -18,7 +18,13 @@ let
     lib.concatMapStringsSep "\n" (l: builtins.toJSON l) cfg.extraCgroups
   );
   servicename =
-    if ((lib.getName cfg.package) == (lib.getName pkgs.ananicy-cpp)) then "ananicy-cpp" else "ananicy";
+    if ((lib.getName cfg.package) == (lib.getName pkgs.ananicy-pp)) then "ananicy-cpp" else "ananicy";
+  # Ananicy-CPP with BPF is not supported on hardened kernels https://github.com/NixOS/nixpkgs/issues/327382
+  finalPackage =
+    if (servicename == "ananicy-cpp" && config.boot.kernelPackages.isHardened) then
+      (cfg.package { withBpf = false; })
+    else
+      cfg.package;
 in
 {
   options.services.ananicy = {
@@ -107,7 +113,7 @@ in
 
   config = lib.mkIf cfg.enable {
     environment = {
-      systemPackages = [ cfg.package ];
+      systemPackages = [ finalPackage ];
       etc."ananicy.d".source = pkgs.runCommandLocal "ananicyfiles" { } ''
         mkdir -p $out
         # ananicy-cpp does not include rules or settings on purpose
@@ -159,7 +165,7 @@ in
       );
 
     systemd = {
-      packages = [ cfg.package ];
+      packages = [ finalPackage ];
       services."${servicename}" = {
         wantedBy = [ "default.target" ];
       };