modules: Add hardening configuration

modules/hardening.nix

@@ -0,0 +1,752 @@
+{ config, lib, pkgs, ... }: {
+  systemd.services.systemd-rfkill = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      SystemCallFilter = [
+        "write"
+        "read"
+        "openat"
+        "close"
+        "brk"
+        "fstat"
+        "lseek"
+        "mmap"
+        "mprotect"
+        "munmap"
+        "rt_sigaction"
+        "rt_sigprocmask"
+        "ioctl"
+        "nanosleep"
+        "select"
+        "access"
+        "execve"
+        "getuid"
+        "arch_prctl"
+        "set_tid_address"
+        "set_robust_list"
+        "prlimit64"
+        "pread64"
+        "getrandom"
+      ];
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any";
+    };
+  };
+  systemd.services.syslog = {
+    serviceConfig = {
+      PrivateNetwork = true;
+      CapabilityBoundingSet =
+        [ "CAP_DAC_READ_SEARCH" "CAP_SYSLOG" "CAP_NET_BIND_SERVICE" ];
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      ProtectClock = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      PrivateMounts = true;
+      SystemCallArchitectures = "native";
+      MemoryDenyWriteExecute = true;
+      LockPersonality = true;
+      ProtectKernelTunables = true;
+      RestrictRealtime = true;
+      PrivateUsers = true;
+      PrivateTmp = true;
+      UMask = "0077";
+      RestrictNamespace = true;
+      ProtectProc = "invisible";
+      ProtectHome = true;
+      DeviceAllow = false;
+      ProtectSystem = "full";
+    };
+  };
+
+  systemd.services.systemd-journald = {
+    serviceConfig = {
+      UMask = 77;
+      PrivateNetwork = true;
+      ProtectHostname = true;
+      ProtectKernelModules = true;
+    };
+  };
+  systemd.services.auto-cpufreq = {
+    serviceConfig = {
+      CapabilityBoundingSet = "";
+      ProtectSystem = "full";
+      ProtectHome = true;
+      PrivateNetwork = true;
+      IPAddressDeny = "any";
+      NoNewPrivileges = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectHostname = false;
+      MemoryDenyWriteExecute = true;
+      ProtectClock = true;
+      RestrictNamespaces = true;
+      PrivateTmp = true;
+      PrivateUsers = true;
+      ProtectProc = true;
+      ReadOnlyPaths = [ "/" ];
+      InaccessiblePaths = [ "/home" "/root" "/proc" ];
+      SystemCallFilter = [ "@system-service" ];
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+    };
+  };
+  systemd.services.NetworkManager-dispatcher = {
+    serviceConfig = {
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectHostname = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateUsers = true;
+      PrivateDevices = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies = "AF_INET";
+      RestrictNamespaces = true;
+      SystemCallFilter = [
+        "write"
+        "read"
+        "openat"
+        "close"
+        "brk"
+        "fstat"
+        "lseek"
+        "mmap"
+        "mprotect"
+        "munmap"
+        "rt_sigaction"
+        "rt_sigprocmask"
+        "ioctl"
+        "nanosleep"
+        "select"
+        "access"
+        "execve"
+        "getuid"
+        "arch_prctl"
+        "set_tid_address"
+        "set_robust_list"
+        "prlimit64"
+        "pread64"
+        "getrandom"
+      ];
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any";
+    };
+  };
+  systemd.services.display-manager = {
+    serviceConfig = {
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectKernelLogs = true; # so we won't need all of this
+    };
+  };
+  systemd.services.emergency = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers = true;
+      PrivateDevices = true; # Might need adjustment for emergency access
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies = "AF_INET";
+      RestrictNamespaces = true;
+      SystemCallFilter = [
+        "write"
+        "read"
+        "openat"
+        "close"
+        "brk"
+        "fstat"
+        "lseek"
+        "mmap"
+        "mprotect"
+        "munmap"
+        "rt_sigaction"
+        "rt_sigprocmask"
+        "ioctl"
+        "nanosleep"
+        "select"
+        "access"
+        "execve"
+        "getuid"
+        "arch_prctl"
+        "set_tid_address"
+        "set_robust_list"
+        "prlimit64"
+        "pread64"
+        "getrandom"
+      ];
+      UMask = "0077";
+      IPAddressDeny = "any";
+    };
+  };
+  systemd.services."getty@tty1" = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers = true;
+      PrivateDevices = true;
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies = "AF_INET";
+      RestrictNamespaces = true;
+      SystemCallFilter = [
+        "write"
+        "read"
+        "openat"
+        "close"
+        "brk"
+        "fstat"
+        "lseek"
+        "mmap"
+        "mprotect"
+        "munmap"
+        "rt_sigaction"
+        "rt_sigprocmask"
+        "ioctl"
+        "nanosleep"
+        "select"
+        "access"
+        "execve"
+        "getuid"
+        "arch_prctl"
+        "set_tid_address"
+        "set_robust_list"
+        "prlimit64"
+        "pread64"
+        "getrandom"
+      ];
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any";
+    };
+  };
+  systemd.services."getty@tty7" = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers = true;
+      PrivateDevices = true;
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies = "AF_INET";
+      RestrictNamespaces = true;
+      SystemCallFilter = [
+        "write"
+        "read"
+        "openat"
+        "close"
+        "brk"
+        "fstat"
+        "lseek"
+        "mmap"
+        "mprotect"
+        "munmap"
+        "rt_sigaction"
+        "rt_sigprocmask"
+        "ioctl"
+        "nanosleep"
+        "select"
+        "access"
+        "execve"
+        "getuid"
+        "arch_prctl"
+        "set_tid_address"
+        "set_robust_list"
+        "prlimit64"
+        "pread64"
+        "getrandom"
+      ];
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any";
+    };
+  };
+  systemd.services.NetworkManager = {
+    serviceConfig = {
+      NoNewPrivileges = true;
+      ProtectClock = true;
+      ProtectKernelLogs = true;
+      ProtectControlGroups = true;
+      ProtectKernelModules = true;
+      SystemCallArchitectures = "native";
+      MemoryDenyWriteExecute = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      RestrictNamespaces = true;
+      ProtectKernelTunables = true;
+      ProtectHome = true;
+      PrivateTmp = true;
+      UMask = "0077";
+    };
+  };
+  systemd.services."nixos-rebuild-switch-to-configuration" = {
+    serviceConfig = {
+      ProtectHome = true;
+      NoNewPrivileges = true; # Prevent gaining new privileges
+    };
+  };
+  systemd.services."dbus" = {
+    serviceConfig = {
+      PrivateTmp = true;
+      PrivateNetwork = true;
+      ProtectSystem = "full";
+      ProtectHome = true;
+      SystemCallFilter =
+        "~@clock @cpu-emulation @module @mount @obsolete @raw-io @reboot @swap";
+      ProtectKernelTunables = true;
+      NoNewPrivileges = true;
+      CapabilityBoundingSet = [
+        "~CAP_SYS_TIME"
+        "~CAP_SYS_PACCT"
+        "~CAP_KILL"
+        "~CAP_WAKE_ALARM"
+        "~CAP_SYS_BOOT"
+        "~CAP_SYS_CHROOT"
+        "~CAP_LEASE"
+        "~CAP_MKNOD"
+        "~CAP_NET_ADMIN"
+        "~CAP_SYS_ADMIN"
+        "~CAP_SYSLOG"
+        "~CAP_NET_BIND_SERVICE"
+        "~CAP_NET_BROADCAST"
+        "~CAP_AUDIT_WRITE"
+        "~CAP_AUDIT_CONTROL"
+        "~CAP_SYS_RAWIO"
+        "~CAP_SYS_NICE"
+        "~CAP_SYS_RESOURCE"
+        "~CAP_SYS_TTY_CONFIG"
+        "~CAP_SYS_MODULE"
+        "~CAP_IPC_LOCK"
+        "~CAP_LINUX_IMMUTABLE"
+        "~CAP_BLOCK_SUSPEND"
+        "~CAP_MAC_*"
+        "~CAP_DAC_*"
+        "~CAP_FOWNER"
+        "~CAP_IPC_OWNER"
+        "~CAP_SYS_PTRACE"
+        "~CAP_SETUID"
+        "~CAP_SETGID"
+        "~CAP_SETPCAP"
+        "~CAP_FSETID"
+        "~CAP_SETFCAP"
+        "~CAP_CHOWN"
+      ];
+      ProtectKernelModules = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      RestrictNamespaces = true;
+      MemoryDenyWriteExecute = true;
+      RestrictAddressFamilies = [ "~AF_PACKET" "~AF_NETLINK" ];
+      ProtectHostname = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      PrivateUsers = true;
+    };
+  };
+  systemd.services.nix-daemon = {
+    serviceConfig = {
+      ProtectHome = true;
+      PrivateUsers = false;
+    };
+  };
+  systemd.services.reload-systemd-vconsole-setup = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      PrivateUsers = true;
+      PrivateDevices = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictNamespaces = true;
+      UMask = "0077";
+      IPAddressDeny = "any";
+    };
+  };
+  systemd.services.rescue = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers = true;
+      PrivateDevices = true; # Might need adjustment for rescue operations
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies =
+        "AF_INET AF_INET6"; # Networking might be necessary in rescue mode
+      RestrictNamespaces = true;
+      SystemCallFilter = [
+        "write"
+        "read"
+        "openat"
+        "close"
+        "brk"
+        "fstat"
+        "lseek"
+        "mmap"
+        "mprotect"
+        "munmap"
+        "rt_sigaction"
+        "rt_sigprocmask"
+        "ioctl"
+        "nanosleep"
+        "select"
+        "access"
+        "execve"
+        "getuid"
+        "arch_prctl"
+        "set_tid_address"
+        "set_robust_list"
+        "prlimit64"
+        "pread64"
+        "getrandom"
+      ];
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny =
+        "any"; # May need to be relaxed for network troubleshooting in rescue mode
+    };
+  };
+  systemd.services."systemd-ask-password-console" = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers = true;
+      PrivateDevices = true; # May need adjustment for console access
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies = "AF_INET AF_INET6";
+      RestrictNamespaces = true;
+      SystemCallFilter = [ "@system-service" ]; # A more permissive filter
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any";
+    };
+  };
+  systemd.services."systemd-ask-password-wall" = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers = true;
+      PrivateDevices = true;
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies = "AF_INET AF_INET6";
+      RestrictNamespaces = true;
+      SystemCallFilter = [ "@system-service" ]; # A more permissive filter
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any";
+    };
+  };
+  systemd.services.thermald = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true; # Necessary for adjusting cooling policies
+      ProtectKernelModules = true; # May need adjustment for module control
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers = true;
+      PrivateDevices = true; # May require access to specific hardware devices
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      CapabilityBoundingSet = "";
+      RestrictNamespaces = true;
+      SystemCallFilter = [ "@system-service" ];
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any";
+      DeviceAllow = [ ];
+      RestrictAddressFamilies = [ ];
+    };
+  };
+  systemd.services."user@1000" = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers = true; # Be cautious, as this may restrict user operations
+      PrivateDevices = true;
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies = "AF_INET AF_INET6";
+      RestrictNamespaces = true;
+      SystemCallFilter = [ "@system-service" ]; # Adjust based on user needs
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any";
+    };
+  };
+  systemd.services.virtlockd = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers = true;
+      PrivateDevices = true; # May need adjustment for accessing VM resources
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies = "AF_INET AF_INET6";
+      RestrictNamespaces = true;
+      SystemCallFilter = [ "@system-service" ]; # Adjust as necessary
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any"; # May need adjustment for network operations
+    };
+  };
+  systemd.services.virtlogd = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers = true;
+      PrivateDevices = true; # May need adjustment for accessing VM logs
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies = "AF_INET AF_INET6";
+      RestrictNamespaces = true;
+      SystemCallFilter =
+        [ "@system-service" ]; # Adjust based on log management needs
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny =
+        "any"; # May need to be relaxed for network-based log collection
+    };
+  };
+  systemd.services.virtlxcd = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true; # Necessary for container management
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers =
+        true; # Be cautious, might need adjustment for container user management
+      PrivateDevices = true; # Containers might require broader device access
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies =
+        "AF_INET AF_INET6"; # Necessary for networked containers
+      RestrictNamespaces = true;
+      SystemCallFilter =
+        [ "@system-service" ]; # Adjust based on container operations
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any"; # May need to be relaxed for network functionality
+    };
+  };
+  systemd.services.virtqemud = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true; # Necessary for VM management
+      ProtectKernelModules =
+        true; # May need adjustment for VM hardware emulation
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers =
+        true; # Be cautious, might need adjustment for VM user management
+      PrivateDevices = true; # VMs might require broader device access
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies =
+        "AF_INET AF_INET6"; # Necessary for networked VMs
+      RestrictNamespaces = true;
+      SystemCallFilter = [ "@system-service" ]; # Adjust based on VM operations
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any"; # May need to be relaxed for network functionality
+    };
+  };
+  systemd.services.virtvboxd = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true; # Required for some VM management tasks
+      ProtectKernelModules = true; # May need adjustment for module handling
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers =
+        true; # Be cautious, might need adjustment for VM user management
+      PrivateDevices = true; # VMs may require access to certain devices
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies =
+        "AF_INET AF_INET6"; # Necessary for networked VMs
+      RestrictNamespaces = true;
+      SystemCallFilter = [ "@system-service" ]; # Adjust based on VM operations
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any"; # May need to be relaxed for network functionality
+    };
+  };
+}