nixos/anubis: Apply some more hardening settings

Signed-off-by: Felix Singer <felixsinger@posteo.net>
2025-05-23 07:10:15 +02:00 · 2025-05-23 07:10:15 +02:00 · 959c8e9311
commit 959c8e9311
parent c9b1eb70c6
1 changed files with 3 additions and 1 deletions
--- a/nixos/modules/services/networking/anubis.nix
+++ b/nixos/modules/services/networking/anubis.nix
@ -299,7 +299,8 @@ in
          ];
          SystemCallArchitectures = "native";
          MemoryDenyWriteExecute = true;
-
+          AmbientCapabilities = "";
+          PrivateMounts = true;
          PrivateUsers = true;
          PrivateTmp = true;
          PrivateDevices = true;
@ -313,6 +314,7 @@ in
          ProtectSystem = "strict";
          ProtectControlGroups = "strict";
          LockPersonality = true;
+          RemoveIPC = true;
          RestrictRealtime = true;
          RestrictSUIDSGID = true;
          RestrictNamespaces = true;