{ lib, config, ... }: { config.systemd.services = lib.mkIf (config.specialisation != { }) { nix-daemon.serviceConfig = { MemoryDenyWriteExecute = true; NoNewPrivileges = true; SystemCallArchitectures = "native"; RestrictSUIDSGID = true; # good, somehow??? RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; # needed to download sources and caches RestrictNamespaces = [ "user" "net" "uts" "mnt" "ipc" "pid" ]; # namespaces needed for sandboxing SystemCallFilter = [ "@system-service" "@cpu-emulation" "@mount" "@privileged" ]; LockPersonality = true; ProtectControlGroups = true; ProtectKernelModules = true; # todo: does kvm need a modprobe here? PrivateMounts = true; ProtectProc = "invisible"; ProtectClock = true; # file system # PrivateTmp = true; # breaks --keep-failed ProtectSystem = "strict"; ReadWritePaths = [ "/nix" "/tmp" ]; # Scheduling: only do as much as resources are available LimitNICE = 1; Nice = 19; RestrictRealtime = true; # devices DevicePolicy = "closed"; # allow pseudo-devices like /dev/null, but no real devices DeviceAllow = "/dev/kvm"; # kvm is needed for VM tests CapabilityBoundingSet = [ "CAP_FOWNER" "CAP_CHOWN" "CAP_SETUID" "CAP_SETGID" "CAP_SYS_ADMIN" "CAP_DAC_OVERRIDE" ]; # ProtectKernelLogs=true; # BAD # ProtectKernelTunables = true; # BAD # PrivateUsers=true; BAD # ProtectHome = "read-only"; # BAD # ProtectHostname = true; # BAD! # PrivateNetwork = true; # BAD! }; }; }