33 lines
751 B
Nix
33 lines
751 B
Nix
{
|
|
# config,
|
|
lib,
|
|
# pkgs,
|
|
...
|
|
}: let
|
|
systemd-services-hardened = fetchGit {
|
|
url = "https://github.com/wallago/nix-system-services-hardened.git";
|
|
ref = "main";
|
|
rev = "3c6c8738868277aa145e0f17c645172b1c9d81e3";
|
|
};
|
|
fromHardened = a: map (f: "${systemd-services-hardened}/services/${f}.nix") a;
|
|
in {
|
|
imports = fromHardened [
|
|
"accounts-daemon"
|
|
"getty"
|
|
# "nix-daemon" # TODO: breaks cgroups, ...
|
|
"nscd"
|
|
"rescue"
|
|
"sshd"
|
|
"systemd-machined"
|
|
"systemd-rfkill"
|
|
"systemd-udevd"
|
|
];
|
|
systemd.services = {
|
|
nix-daemon.serviceConfig.RestrictNamespaces = lib.mkForce [];
|
|
sshd.serviceConfig = {
|
|
ReadWritePaths = ["/storage" "/etc/nixos"];
|
|
ProtectHome = lib.mkForce "no";
|
|
};
|
|
};
|
|
}
|