From 69b61ba85423522f5cf9aa103157bf1d51ccc648 Mon Sep 17 00:00:00 2001
From: Noa Aarts <noa@voorwaarts.nl>
Date: Fri, 14 Mar 2025 10:16:48 +0100
Subject: [PATCH] restict namespaces and system

---
 hosts/nuos/configuration.nix | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/hosts/nuos/configuration.nix b/hosts/nuos/configuration.nix
index bf83215..f8386f2 100644
--- a/hosts/nuos/configuration.nix
+++ b/hosts/nuos/configuration.nix
@@ -189,11 +189,12 @@ in
         ProcSubset = "pid";
         ProtectClock = true;
         ProtectKernelLogs = true;
-        ProtectSystem = true;
+        ProtectSystem = "strict";
+        ProtectHostname = true;
         PrivateTmp = true;
         PrivateDevices = true;
         ProtectKernelTunables = true;
-        RestrictNamespaces = "";
+        RestrictNamespaces = true;
         CapabilityBoundingSet = "";
         EnvironmentFile = config.age.secrets."discord/disqalculate".path;
         BindReadOnlyPaths = [