From 2e71d4315c225820f759839f0909994333863662 Mon Sep 17 00:00:00 2001
From: Noa Aarts <noa@voorwaarts.nl>
Date: Fri, 14 Mar 2025 00:37:41 +0100
Subject: [PATCH] add some more protections

---
 hosts/nuos/configuration.nix | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/hosts/nuos/configuration.nix b/hosts/nuos/configuration.nix
index 2c48a39..9580329 100644
--- a/hosts/nuos/configuration.nix
+++ b/hosts/nuos/configuration.nix
@@ -184,6 +184,16 @@ in
         User = "disqalculate";
         NoNewPrivileges = true;
         ProtectHome = true;
+        ProtectProc = true;
+        ProtectClock = true;
+        ProtectKernelLogs = true;
+        ProtectSystem = true;
+        PrivateTmp = true;
+        PrivateDevices = true;
+        ProtectKernelTunables = true;
+        CapabylityBoundingSet = true;
+        RestrictNamspaces = "";
+        CapabilityBoundingSet = "";
         EnvironmentFile = config.age.secrets."discord/disqalculate".path;
         BindReadOnlyPaths = [
           "/nix/store"