my over complex system configurations
dotfiles.isabelroses.com/
nixos
nix
flake
dotfiles
linux
1let
2 systemd = {
3 LockPersonality = true;
4 MemoryDenyWriteExecute = true;
5 NoNewPrivileges = true;
6 PrivateDevices = true;
7 PrivateIPC = true;
8 PrivateTmp = true;
9 PrivateUsers = true;
10 ProtectClock = true;
11 ProtectControlGroups = true;
12 ProtectHome = true;
13 ProtectHostname = true;
14 ProtectKernelLogs = true;
15 ProtectKernelModules = true;
16 ProtectKernelTunables = true;
17 ProtectProc = "invisible";
18 ProtectSystem = "strict";
19 RestrictNamespaces = "uts ipc pid user cgroup";
20 RestrictRealtime = true;
21 RestrictSUIDSGID = true;
22 SystemCallArchitectures = "native";
23 SystemCallFilter = [ "@system-service" ];
24 UMask = "0077";
25 };
26
27 xdg = import ./xdg.nix;
28in
29{
30 inherit
31 systemd
32 xdg
33 ;
34}