feat: harden nysh

2024-10-30 22:52:14 +01:00 · 2024-10-30 22:52:14 +01:00 · 805ed8e3b9
commit 805ed8e3b9
parent d6c16ee186
1 changed files with 10 additions and 4 deletions
--- a/options/services/nysh.nix
+++ b/options/services/nysh.nix
@ -24,15 +24,21 @@ in
        "multi-user.target"
        "graphical-session.target"
      ];
+      partOf = [ "graphical-session.target" ];
+      after = [ "graphical-session-pre.target" ];

-      unitConfig = {
-        After = [ "graphical-session-pre.target" ];
-        PartOf = [ "graphical-session.target" ];
-      };
      serviceConfig = {
        Type = "simple";
        ExecStart = "/bin/sh -lc ${cfg.package}/bin/nysh";
        Restart = "on-failure";
+
+        NoNewPrivileges = true;
+        PrivateMounts = true;
+        ProtectHostname = true;
+        ProtectKernelTunables = true;
+        ProtectProc = true;
+        PrivateTmp = true;
+        IPAddressDeny = "any";
      };
    };
  };