noa/nixconf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add some more protections

Browse source
This commit is contained in:
Noa Aarts 2025-03-14 00:37:41 +01:00
parent 26ffcd8ad6
commit 2e71d4315c
Signed by: noa
GPG key ID: 1850932741EFF672
1 changed files with 10 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

10
hosts/nuos/configuration.nix
View file

@ -184,6 +184,16 @@ in
User = "disqalculate";
NoNewPrivileges = true;
ProtectHome = true;
ProtectProc = true;
ProtectClock = true;
ProtectKernelLogs = true;
ProtectSystem = true;
PrivateTmp = true;
PrivateDevices = true;
ProtectKernelTunables = true;
CapabylityBoundingSet = true;
RestrictNamspaces = "";
CapabilityBoundingSet = "";
EnvironmentFile = config.age.secrets."discord/disqalculate".path;
BindReadOnlyPaths = [
"/nix/store"