From 959c8e931134c3f986474045c24b05f09b1d770e Mon Sep 17 00:00:00 2001
From: Felix Singer <felixsinger@posteo.net>
Date: Fri, 23 May 2025 07:10:15 +0200
Subject: [PATCH] nixos/anubis: Apply some more hardening settings

Signed-off-by: Felix Singer <felixsinger@posteo.net>
---
 nixos/modules/services/networking/anubis.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/services/networking/anubis.nix b/nixos/modules/services/networking/anubis.nix
index 2d63fa4ecc59..d44619446b7c 100644
--- a/nixos/modules/services/networking/anubis.nix
+++ b/nixos/modules/services/networking/anubis.nix
@@ -299,7 +299,8 @@ in
           ];
           SystemCallArchitectures = "native";
           MemoryDenyWriteExecute = true;
-
+          AmbientCapabilities = "";
+          PrivateMounts = true;
           PrivateUsers = true;
           PrivateTmp = true;
           PrivateDevices = true;
@@ -313,6 +314,7 @@ in
           ProtectSystem = "strict";
           ProtectControlGroups = "strict";
           LockPersonality = true;
+          RemoveIPC = true;
           RestrictRealtime = true;
           RestrictSUIDSGID = true;
           RestrictNamespaces = true;