From d502993daf8911429abb4de4cadc8b83a9ad2ee0 Mon Sep 17 00:00:00 2001
From: jolheiser <git@jolheiser.com>
Date: Fri, 11 Apr 2025 10:40:15 -0500
Subject: [PATCH] harden service

---
 nix/module.nix | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/nix/module.nix b/nix/module.nix
index aed867c..7c39455 100644
--- a/nix/module.nix
+++ b/nix/module.nix
@@ -140,6 +140,33 @@ in
               Restart = "always";
               RestartSec = "15";
               WorkingDirectory = instanceCfg.homeDir;
+              ReadWritePaths = [ instanceCfg.homeDir ];
+              CapabilityBoundingSet = "";
+              NoNewPrivileges = true;
+              ProtectSystem = "strict";
+              ProtectHome = true;
+              PrivateTmp = true;
+              PrivateDevices = true;
+              PrivateUsers = true;
+              ProtectHostname = true;
+              ProtectClock = true;
+              ProtectKernelTunables = true;
+              ProtectKernelModules = true;
+              ProtectKernelLogs = true;
+              ProtectControlGroups = true;
+              RestrictAddressFamilies = [
+                "AF_UNIX"
+                "AF_INET"
+                "AF_INET6"
+              ];
+              RestrictNamespaces = true;
+              LockPersonality = true;
+              MemoryDenyWriteExecute = true;
+              RestrictRealtime = true;
+              RestrictSUIDSGID = true;
+              RemoveIPC = true;
+              PrivateMounts = true;
+              SystemCallArchitectures = "native";
               ExecStart =
                 let
                   configFile = pkgs.writeText "ugit-${name}.yaml" (