{ lib, config, ... }: { config.systemd.services = lib.mkIf (config.specialisation != { }) { NetworkManager.serviceConfig = { CapabilityBoundingSet = [ "" (lib.concatStringsSep " " [ "cap_net_bind_service" "cap_net_admin" "cap_net_raw" ]) ]; NoNewPrivileges = true; RestrictNamespaces = "net uts"; ProtectControlGroups = true; ProtectKernelModules = true; MemoryDenyWriteExecute = true; RestrictSUIDSGID = true; ProtectProc = "invisible"; SystemCallArchitectures = "native"; SystemCallFilter = "@system-service"; PrivateDevices = true; LockPersonality = true; # PrivateUsers = true; # BAD # ProtectKernelTunables = true; # BAD ProtectHostname=true; ProcSubset="pid"; ProtectSystem=true; }; NetworkManager-dispatcher.serviceConfig = { CapabilityBoundingSet = [ "" (lib.concatStringsSep " " [ "cap_net_bind_service" "cap_net_admin" "cap_net_raw" ]) ]; UMask = "0700"; NoNewPrivileges = true; RestrictNamespaces = "net uts"; ProtectControlGroups = true; ProtectKernelModules = true; MemoryDenyWriteExecute = true; RestrictSUIDSGID = true; ProtectProc = "invisible"; SystemCallArchitectures = "native"; SystemCallFilter = "@system-service"; PrivateDevices = true; LockPersonality = true; # PrivateUsers = true; # BAD # ProtectKernelTunables = true; # BAD ProtectHostname=true; ProcSubset="pid"; ProtectSystem=true; }; }; }