this one is for the chrome enjoyers

harden service
2025-04-11 12:08:15 -05:00 · 2025-04-11 10:44:54 -05:00
3 changed files with 29 additions and 6 deletions
--- a/internal/html/generate.css
+++ b/internal/html/generate.css
@ -45,9 +45,5 @@
 }

 .code>.chroma {
-  @apply text-sm p-3 rounded overflow-scroll;
-}
-
-.chroma .line {
-  @apply overflow-scroll
+  @apply text-sm p-3 rounded;
 }
--- a/internal/html/tailwind.go
+++ b/internal/html/tailwind.go
--- a/nix/module.nix
+++ b/nix/module.nix
@ -140,6 +140,33 @@ in
              Restart = "always";
              RestartSec = "15";
              WorkingDirectory = instanceCfg.homeDir;
+              ReadWritePaths = [ instanceCfg.homeDir ];
+              CapabilityBoundingSet = "";
+              NoNewPrivileges = true;
+              ProtectSystem = "strict";
+              ProtectHome = true;
+              PrivateTmp = true;
+              PrivateDevices = true;
+              PrivateUsers = true;
+              ProtectHostname = true;
+              ProtectClock = true;
+              ProtectKernelTunables = true;
+              ProtectKernelModules = true;
+              ProtectKernelLogs = true;
+              ProtectControlGroups = true;
+              RestrictAddressFamilies = [
+                "AF_UNIX"
+                "AF_INET"
+                "AF_INET6"
+              ];
+              RestrictNamespaces = true;
+              LockPersonality = true;
+              MemoryDenyWriteExecute = true;
+              RestrictRealtime = true;
+              RestrictSUIDSGID = true;
+              RemoveIPC = true;
+              PrivateMounts = true;
+              SystemCallArchitectures = "native";
              ExecStart =
                let
                  configFile = pkgs.writeText "ugit-${name}.yaml" (
Author	SHA1	Message	Date
jolheiser	f7bcb11792	this one is for the chrome enjoyers	2025-04-11 12:08:15 -05:00
jolheiser	d502993daf	harden service	2025-04-11 10:44:54 -05:00