{ config, lib, pkgs, ... }: { systemd.services.systemd-rfkill = { serviceConfig = { ProtectSystem = "strict"; ProtectHome = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectControlGroups = true; ProtectClock = true; ProtectProc = "invisible"; ProcSubset = "pid"; PrivateTmp = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; LockPersonality = true; RestrictRealtime = true; SystemCallFilter = [ "write" "read" "openat" "close" "brk" "fstat" "lseek" "mmap" "mprotect" "munmap" "rt_sigaction" "rt_sigprocmask" "ioctl" "nanosleep" "select" "access" "execve" "getuid" "arch_prctl" "set_tid_address" "set_robust_list" "prlimit64" "pread64" "getrandom" ]; SystemCallArchitectures = "native"; UMask = "0077"; IPAddressDeny = "any"; }; }; systemd.services.syslog = { serviceConfig = { PrivateNetwork = true; CapabilityBoundingSet = [ "CAP_DAC_READ_SEARCH" "CAP_SYSLOG" "CAP_NET_BIND_SERVICE" ]; NoNewPrivileges = true; PrivateDevices = true; ProtectClock = true; ProtectKernelLogs = true; ProtectKernelModules = true; PrivateMounts = true; SystemCallArchitectures = "native"; MemoryDenyWriteExecute = true; LockPersonality = true; ProtectKernelTunables = true; RestrictRealtime = true; PrivateUsers = true; PrivateTmp = true; UMask = "0077"; RestrictNamespace = true; ProtectProc = "invisible"; ProtectHome = true; DeviceAllow = false; ProtectSystem = "full"; }; }; systemd.services.systemd-journald = { serviceConfig = { UMask = 77; PrivateNetwork = true; ProtectHostname = true; ProtectKernelModules = true; }; }; systemd.services.auto-cpufreq = { serviceConfig = { CapabilityBoundingSet = ""; ProtectSystem = "full"; ProtectHome = true; PrivateNetwork = true; IPAddressDeny = "any"; NoNewPrivileges = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectControlGroups = true; ProtectHostname = false; MemoryDenyWriteExecute = true; ProtectClock = true; RestrictNamespaces = true; PrivateTmp = true; PrivateUsers = true; ProtectProc = true; ReadOnlyPaths = [ "/" ]; InaccessiblePaths = [ "/home" "/root" "/proc" ]; SystemCallFilter = [ "@system-service" ]; SystemCallArchitectures = "native"; UMask = "0077"; }; }; systemd.services.NetworkManager-dispatcher = { serviceConfig = { ProtectHome = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectControlGroups = true; ProtectKernelLogs = true; ProtectHostname = true; ProtectClock = true; ProtectProc = "invisible"; ProcSubset = "pid"; PrivateUsers = true; PrivateDevices = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; LockPersonality = true; RestrictRealtime = true; RestrictSUIDSGID = true; RestrictAddressFamilies = "AF_INET"; RestrictNamespaces = true; SystemCallFilter = [ "write" "read" "openat" "close" "brk" "fstat" "lseek" "mmap" "mprotect" "munmap" "rt_sigaction" "rt_sigprocmask" "ioctl" "nanosleep" "select" "access" "execve" "getuid" "arch_prctl" "set_tid_address" "set_robust_list" "prlimit64" "pread64" "getrandom" ]; SystemCallArchitectures = "native"; UMask = "0077"; IPAddressDeny = "any"; }; }; systemd.services.display-manager = { serviceConfig = { ProtectKernelTunables = true; ProtectKernelModules = true; ProtectKernelLogs = true; # so we won't need all of this }; }; systemd.services.emergency = { serviceConfig = { ProtectSystem = "strict"; ProtectHome = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectControlGroups = true; ProtectKernelLogs = true; ProtectClock = true; ProtectProc = "invisible"; ProcSubset = "pid"; PrivateTmp = true; PrivateUsers = true; PrivateDevices = true; # Might need adjustment for emergency access PrivateIPC = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; LockPersonality = true; RestrictRealtime = true; RestrictSUIDSGID = true; RestrictAddressFamilies = "AF_INET"; RestrictNamespaces = true; SystemCallFilter = [ "write" "read" "openat" "close" "brk" "fstat" "lseek" "mmap" "mprotect" "munmap" "rt_sigaction" "rt_sigprocmask" "ioctl" "nanosleep" "select" "access" "execve" "getuid" "arch_prctl" "set_tid_address" "set_robust_list" "prlimit64" "pread64" "getrandom" ]; UMask = "0077"; IPAddressDeny = "any"; }; }; systemd.services."getty@tty1" = { serviceConfig = { ProtectSystem = "strict"; ProtectHome = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectControlGroups = true; ProtectKernelLogs = true; ProtectClock = true; ProtectProc = "invisible"; ProcSubset = "pid"; PrivateTmp = true; PrivateUsers = true; PrivateDevices = true; PrivateIPC = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; LockPersonality = true; RestrictRealtime = true; RestrictSUIDSGID = true; RestrictAddressFamilies = "AF_INET"; RestrictNamespaces = true; SystemCallFilter = [ "write" "read" "openat" "close" "brk" "fstat" "lseek" "mmap" "mprotect" "munmap" "rt_sigaction" "rt_sigprocmask" "ioctl" "nanosleep" "select" "access" "execve" "getuid" "arch_prctl" "set_tid_address" "set_robust_list" "prlimit64" "pread64" "getrandom" ]; SystemCallArchitectures = "native"; UMask = "0077"; IPAddressDeny = "any"; }; }; systemd.services."getty@tty7" = { serviceConfig = { ProtectSystem = "strict"; ProtectHome = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectControlGroups = true; ProtectKernelLogs = true; ProtectClock = true; ProtectProc = "invisible"; ProcSubset = "pid"; PrivateTmp = true; PrivateUsers = true; PrivateDevices = true; PrivateIPC = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; LockPersonality = true; RestrictRealtime = true; RestrictSUIDSGID = true; RestrictAddressFamilies = "AF_INET"; RestrictNamespaces = true; SystemCallFilter = [ "write" "read" "openat" "close" "brk" "fstat" "lseek" "mmap" "mprotect" "munmap" "rt_sigaction" "rt_sigprocmask" "ioctl" "nanosleep" "select" "access" "execve" "getuid" "arch_prctl" "set_tid_address" "set_robust_list" "prlimit64" "pread64" "getrandom" ]; SystemCallArchitectures = "native"; UMask = "0077"; IPAddressDeny = "any"; }; }; systemd.services.NetworkManager = { serviceConfig = { NoNewPrivileges = true; ProtectClock = true; ProtectKernelLogs = true; ProtectControlGroups = true; ProtectKernelModules = true; SystemCallArchitectures = "native"; MemoryDenyWriteExecute = true; ProtectProc = "invisible"; ProcSubset = "pid"; RestrictNamespaces = true; ProtectKernelTunables = true; ProtectHome = true; PrivateTmp = true; UMask = "0077"; }; }; systemd.services."nixos-rebuild-switch-to-configuration" = { serviceConfig = { ProtectHome = true; NoNewPrivileges = true; # Prevent gaining new privileges }; }; systemd.services."dbus" = { serviceConfig = { PrivateTmp = true; PrivateNetwork = true; ProtectSystem = "full"; ProtectHome = true; SystemCallFilter = "~@clock @cpu-emulation @module @mount @obsolete @raw-io @reboot @swap"; ProtectKernelTunables = true; NoNewPrivileges = true; CapabilityBoundingSet = [ "~CAP_SYS_TIME" "~CAP_SYS_PACCT" "~CAP_KILL" "~CAP_WAKE_ALARM" "~CAP_SYS_BOOT" "~CAP_SYS_CHROOT" "~CAP_LEASE" "~CAP_MKNOD" "~CAP_NET_ADMIN" "~CAP_SYS_ADMIN" "~CAP_SYSLOG" "~CAP_NET_BIND_SERVICE" "~CAP_NET_BROADCAST" "~CAP_AUDIT_WRITE" "~CAP_AUDIT_CONTROL" "~CAP_SYS_RAWIO" "~CAP_SYS_NICE" "~CAP_SYS_RESOURCE" "~CAP_SYS_TTY_CONFIG" "~CAP_SYS_MODULE" "~CAP_IPC_LOCK" "~CAP_LINUX_IMMUTABLE" "~CAP_BLOCK_SUSPEND" "~CAP_MAC_*" "~CAP_DAC_*" "~CAP_FOWNER" "~CAP_IPC_OWNER" "~CAP_SYS_PTRACE" "~CAP_SETUID" "~CAP_SETGID" "~CAP_SETPCAP" "~CAP_FSETID" "~CAP_SETFCAP" "~CAP_CHOWN" ]; ProtectKernelModules = true; ProtectKernelLogs = true; ProtectClock = true; ProtectControlGroups = true; RestrictNamespaces = true; MemoryDenyWriteExecute = true; RestrictAddressFamilies = [ "~AF_PACKET" "~AF_NETLINK" ]; ProtectHostname = true; LockPersonality = true; RestrictRealtime = true; PrivateUsers = true; }; }; systemd.services.nix-daemon = { serviceConfig = { ProtectHome = true; PrivateUsers = false; }; }; systemd.services.reload-systemd-vconsole-setup = { serviceConfig = { ProtectSystem = "strict"; ProtectHome = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectControlGroups = true; ProtectKernelLogs = true; ProtectClock = true; PrivateUsers = true; PrivateDevices = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; LockPersonality = true; RestrictRealtime = true; RestrictNamespaces = true; UMask = "0077"; IPAddressDeny = "any"; }; }; systemd.services.rescue = { serviceConfig = { ProtectSystem = "strict"; ProtectHome = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectControlGroups = true; ProtectKernelLogs = true; ProtectClock = true; ProtectProc = "invisible"; ProcSubset = "pid"; PrivateTmp = true; PrivateUsers = true; PrivateDevices = true; # Might need adjustment for rescue operations PrivateIPC = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; LockPersonality = true; RestrictRealtime = true; RestrictSUIDSGID = true; RestrictAddressFamilies = "AF_INET AF_INET6"; # Networking might be necessary in rescue mode RestrictNamespaces = true; SystemCallFilter = [ "write" "read" "openat" "close" "brk" "fstat" "lseek" "mmap" "mprotect" "munmap" "rt_sigaction" "rt_sigprocmask" "ioctl" "nanosleep" "select" "access" "execve" "getuid" "arch_prctl" "set_tid_address" "set_robust_list" "prlimit64" "pread64" "getrandom" ]; SystemCallArchitectures = "native"; UMask = "0077"; IPAddressDeny = "any"; # May need to be relaxed for network troubleshooting in rescue mode }; }; systemd.services."systemd-ask-password-console" = { serviceConfig = { ProtectSystem = "strict"; ProtectHome = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectControlGroups = true; ProtectKernelLogs = true; ProtectClock = true; ProtectProc = "invisible"; ProcSubset = "pid"; PrivateTmp = true; PrivateUsers = true; PrivateDevices = true; # May need adjustment for console access PrivateIPC = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; LockPersonality = true; RestrictRealtime = true; RestrictSUIDSGID = true; RestrictAddressFamilies = "AF_INET AF_INET6"; RestrictNamespaces = true; SystemCallFilter = [ "@system-service" ]; # A more permissive filter SystemCallArchitectures = "native"; UMask = "0077"; IPAddressDeny = "any"; }; }; systemd.services."systemd-ask-password-wall" = { serviceConfig = { ProtectSystem = "strict"; ProtectHome = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectControlGroups = true; ProtectKernelLogs = true; ProtectClock = true; ProtectProc = "invisible"; ProcSubset = "pid"; PrivateTmp = true; PrivateUsers = true; PrivateDevices = true; PrivateIPC = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; LockPersonality = true; RestrictRealtime = true; RestrictSUIDSGID = true; RestrictAddressFamilies = "AF_INET AF_INET6"; RestrictNamespaces = true; SystemCallFilter = [ "@system-service" ]; # A more permissive filter SystemCallArchitectures = "native"; UMask = "0077"; IPAddressDeny = "any"; }; }; systemd.services.thermald = { serviceConfig = { ProtectSystem = "strict"; ProtectHome = true; ProtectKernelTunables = true; # Necessary for adjusting cooling policies ProtectKernelModules = true; # May need adjustment for module control ProtectControlGroups = true; ProtectKernelLogs = true; ProtectClock = true; ProtectProc = "invisible"; ProcSubset = "pid"; PrivateTmp = true; PrivateUsers = true; PrivateDevices = true; # May require access to specific hardware devices PrivateIPC = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; LockPersonality = true; RestrictRealtime = true; RestrictSUIDSGID = true; CapabilityBoundingSet = ""; RestrictNamespaces = true; SystemCallFilter = [ "@system-service" ]; SystemCallArchitectures = "native"; UMask = "0077"; IPAddressDeny = "any"; DeviceAllow = [ ]; RestrictAddressFamilies = [ ]; }; }; systemd.services."user@1000" = { serviceConfig = { ProtectSystem = "strict"; ProtectHome = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectControlGroups = true; ProtectKernelLogs = true; ProtectClock = true; ProtectProc = "invisible"; ProcSubset = "pid"; PrivateTmp = true; PrivateUsers = true; # Be cautious, as this may restrict user operations PrivateDevices = true; PrivateIPC = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; LockPersonality = true; RestrictRealtime = true; RestrictSUIDSGID = true; RestrictAddressFamilies = "AF_INET AF_INET6"; RestrictNamespaces = true; SystemCallFilter = [ "@system-service" ]; # Adjust based on user needs SystemCallArchitectures = "native"; UMask = "0077"; IPAddressDeny = "any"; }; }; systemd.services.virtlockd = { serviceConfig = { ProtectSystem = "strict"; ProtectHome = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectControlGroups = true; ProtectKernelLogs = true; ProtectClock = true; ProtectProc = "invisible"; ProcSubset = "pid"; PrivateTmp = true; PrivateUsers = true; PrivateDevices = true; # May need adjustment for accessing VM resources PrivateIPC = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; LockPersonality = true; RestrictRealtime = true; RestrictSUIDSGID = true; RestrictAddressFamilies = "AF_INET AF_INET6"; RestrictNamespaces = true; SystemCallFilter = [ "@system-service" ]; # Adjust as necessary SystemCallArchitectures = "native"; UMask = "0077"; IPAddressDeny = "any"; # May need adjustment for network operations }; }; systemd.services.virtlogd = { serviceConfig = { ProtectSystem = "strict"; ProtectHome = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectControlGroups = true; ProtectKernelLogs = true; ProtectClock = true; ProtectProc = "invisible"; ProcSubset = "pid"; PrivateTmp = true; PrivateUsers = true; PrivateDevices = true; # May need adjustment for accessing VM logs PrivateIPC = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; LockPersonality = true; RestrictRealtime = true; RestrictSUIDSGID = true; RestrictAddressFamilies = "AF_INET AF_INET6"; RestrictNamespaces = true; SystemCallFilter = [ "@system-service" ]; # Adjust based on log management needs SystemCallArchitectures = "native"; UMask = "0077"; IPAddressDeny = "any"; # May need to be relaxed for network-based log collection }; }; systemd.services.virtlxcd = { serviceConfig = { ProtectSystem = "strict"; ProtectHome = true; ProtectKernelTunables = true; # Necessary for container management ProtectKernelModules = true; ProtectControlGroups = true; ProtectKernelLogs = true; ProtectClock = true; ProtectProc = "invisible"; ProcSubset = "pid"; PrivateTmp = true; PrivateUsers = true; # Be cautious, might need adjustment for container user management PrivateDevices = true; # Containers might require broader device access PrivateIPC = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; LockPersonality = true; RestrictRealtime = true; RestrictSUIDSGID = true; RestrictAddressFamilies = "AF_INET AF_INET6"; # Necessary for networked containers RestrictNamespaces = true; SystemCallFilter = [ "@system-service" ]; # Adjust based on container operations SystemCallArchitectures = "native"; UMask = "0077"; IPAddressDeny = "any"; # May need to be relaxed for network functionality }; }; systemd.services.virtqemud = { serviceConfig = { ProtectSystem = "strict"; ProtectHome = true; ProtectKernelTunables = true; # Necessary for VM management ProtectKernelModules = true; # May need adjustment for VM hardware emulation ProtectControlGroups = true; ProtectKernelLogs = true; ProtectClock = true; ProtectProc = "invisible"; ProcSubset = "pid"; PrivateTmp = true; PrivateUsers = true; # Be cautious, might need adjustment for VM user management PrivateDevices = true; # VMs might require broader device access PrivateIPC = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; LockPersonality = true; RestrictRealtime = true; RestrictSUIDSGID = true; RestrictAddressFamilies = "AF_INET AF_INET6"; # Necessary for networked VMs RestrictNamespaces = true; SystemCallFilter = [ "@system-service" ]; # Adjust based on VM operations SystemCallArchitectures = "native"; UMask = "0077"; IPAddressDeny = "any"; # May need to be relaxed for network functionality }; }; systemd.services.virtvboxd = { serviceConfig = { ProtectSystem = "strict"; ProtectHome = true; ProtectKernelTunables = true; # Required for some VM management tasks ProtectKernelModules = true; # May need adjustment for module handling ProtectControlGroups = true; ProtectKernelLogs = true; ProtectClock = true; ProtectProc = "invisible"; ProcSubset = "pid"; PrivateTmp = true; PrivateUsers = true; # Be cautious, might need adjustment for VM user management PrivateDevices = true; # VMs may require access to certain devices PrivateIPC = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; LockPersonality = true; RestrictRealtime = true; RestrictSUIDSGID = true; RestrictAddressFamilies = "AF_INET AF_INET6"; # Necessary for networked VMs RestrictNamespaces = true; SystemCallFilter = [ "@system-service" ]; # Adjust based on VM operations SystemCallArchitectures = "native"; UMask = "0077"; IPAddressDeny = "any"; # May need to be relaxed for network functionality }; }; }