chore: update nysh and relax service security

2024-11-20 11:00:10 +01:00 · 2024-11-20 11:00:10 +01:00 · 9355037627
commit 9355037627
parent fe5c301177
2 changed files with 10 additions and 9 deletions
--- a/flake.lock
+++ b/flake.lock
@ -287,11 +287,11 @@
        "quickshell": "quickshell"
      },
      "locked": {
-        "lastModified": 1731862325,
-        "narHash": "sha256-K6F/3dMLzPucS0E3wCgqmIGu5WbrYRhVeTKRyFsh9Cc=",
+        "lastModified": 1732096650,
+        "narHash": "sha256-UvjspNFYpaHa5nVe0r5pVOnjX3HyeUDZW2VovxF7Zzg=",
        "ref": "refs/heads/main",
-        "rev": "a57cc7c1d2f6dc5dd2642b6d9d9dab2ca8f43da2",
-        "revCount": 81,
+        "rev": "e50a21ebc5ba79cc98d4c87efe00ccae8faf4c86",
+        "revCount": 84,
        "type": "git",
        "url": "https://git.ccnlc.eu/nydragon/nysh.git"
      },
--- a/options/services/nysh.nix
+++ b/options/services/nysh.nix
@ -2,6 +2,7 @@
  lib,
  inputs',
  config,
+  pkgs,
  ...
 }:
 let
@ -20,6 +21,11 @@ in

  config = mkIf cfg.enable {
    systemd.user.services.nysh = {
+      path = [
+        pkgs.curl
+        pkgs.brightnessctl
+        pkgs.networkmanager
+      ];
      wantedBy = [
        "multi-user.target"
        "graphical-session.target"
@ -33,11 +39,6 @@ in
        Restart = "on-failure";

        NoNewPrivileges = true;
-        PrivateMounts = true;
-        ProtectHostname = true;
-        ProtectKernelTunables = true;
-        PrivateTmp = true;
-        IPAddressDeny = "any";
      };
    };
  };