33 lines
839 B
Nix
33 lines
839 B
Nix
|
{ lib, config, ... }:
|
||
|
|
{
|
||
|
|
config.systemd.services = lib.mkIf (config.specialisation != { }) {
|
||
|
|
"getty@".serviceConfig = {
|
||
|
|
|
||
|
|
#CapabilityBoundingSet =[
|
||
|
|
# "CAP_SYS_TTY_CONFIGCAP_LEASE"
|
||
|
|
#];
|
||
|
|
|
||
|
|
# NoNewPrivileges = true;
|
||
|
|
RestrictNamespaces = "pid";
|
||
|
|
|
||
|
|
ProtectControlGroups = true;
|
||
|
|
ProtectHome = false;
|
||
|
|
ProtectClock = false;
|
||
|
|
ProtectKernelModules = true;
|
||
|
|
ProtectKernelTunables = true;
|
||
|
|
MemoryDenyWriteExecute = true;
|
||
|
|
# RestrictSUIDSGID = true;
|
||
|
|
SystemCallArchitectures = "native";
|
||
|
|
SystemCallFilter = lib.mkForce "@system-service";
|
||
|
|
LockPersonality = true;
|
||
|
|
#RestrictRealtime=true;
|
||
|
|
ProtectProc = "invisible";
|
||
|
|
|
||
|
|
# PrivateUsers=true;
|
||
|
|
PrivateNetwork = true;
|
||
|
|
RestrictAddressFamilies = "AF_UNIX";
|
||
|
|
# ProtectSystem=true;
|
||
|
|
};
|
||
|
|
};
|
||
|
|
}
|