From d021739983c695769c8c636a058a7db03b3f0a79 Mon Sep 17 00:00:00 2001
From: Grimmauld <Grimmauld@grimmauld.de>
Date: Wed, 29 Jan 2025 18:37:35 +0100
Subject: [PATCH] cleanup

---
 common/tooling/java.nix       | 2 +-
 common/tooling/nix-index.nix  | 1 -
 hardening/opensnitch/dns.nix  | 1 -
 hardening/systemd/acpid.nix   | 4 ++--
 hardening/systemd/default.nix | 2 +-
 5 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/common/tooling/java.nix b/common/tooling/java.nix
index 473de3e..b9aa770 100644
--- a/common/tooling/java.nix
+++ b/common/tooling/java.nix
@@ -21,7 +21,7 @@ in
       pkgs.jdk17
       pkgs.visualvm
       pkgs.gradle_7
-    ]; # ++ optionals graphical [ pkgs.jetbrains.idea-community ];
+    ] ++ optionals graphical [ pkgs.jetbrains.idea-community ];
 
     environment.sessionVariables.JAVA_HOME = pkgs.jdk17.home;
 
diff --git a/common/tooling/nix-index.nix b/common/tooling/nix-index.nix
index db4c467..8c33658 100644
--- a/common/tooling/nix-index.nix
+++ b/common/tooling/nix-index.nix
@@ -13,7 +13,6 @@ in
   users.users."${user}" = {
     isSystemUser = true;
     group = user;
-    uid = 995;
   };
   users.groups."${user}" = { };
 
diff --git a/hardening/opensnitch/dns.nix b/hardening/opensnitch/dns.nix
index 93ceb6f..fe65e3a 100644
--- a/hardening/opensnitch/dns.nix
+++ b/hardening/opensnitch/dns.nix
@@ -30,7 +30,6 @@ in
     users.groups."${dnscrypt_proxy_user}" = { };
 
     systemd.services.dnscrypt-proxy2.serviceConfig = {
-      DynamicUser = lib.mkForce true;
       User = dnscrypt_proxy_user;
       Group = dnscrypt_proxy_user;
     };
diff --git a/hardening/systemd/acpid.nix b/hardening/systemd/acpid.nix
index 8dc5cd5..934f7c5 100644
--- a/hardening/systemd/acpid.nix
+++ b/hardening/systemd/acpid.nix
@@ -5,7 +5,6 @@
       CapabilityBoundingSet = [
         ""
       ];
-      NoNewPrivileges = true;
       RestrictNamespaces = [
         "~pid"
         "~user"
@@ -33,8 +32,9 @@
       ProtectKernelLogs = true;
       IPAddressAllow = [ ];
 
-      PrivateDevices = false; # acpi obviously needs device access
+      PrivateDevices = false; # acpi needs device access
       PrivateNetwork = false; # required for netlink to work properly
+      NoNewPrivileges = false; # acpi hooks might want to execute things at higher/different access
       RestrictAddressFamilies = [
         "AF_NETLINK"
         "AF_UNIX"
diff --git a/hardening/systemd/default.nix b/hardening/systemd/default.nix
index bf6eed3..fe9bf4b 100644
--- a/hardening/systemd/default.nix
+++ b/hardening/systemd/default.nix
@@ -21,7 +21,7 @@ in
     ./bluetooth.nix
     # ./tty.nix
     ./ask-password.nix
-    ./nix-daemon.nix
+    # ./nix-daemon.nix
     ./nscd.nix
     ./rtkit.nix
     ./sshd.nix