ugit @main -
refs -
log -
-
https://git.jolheiser.com/ugit.git
Signature
-----BEGIN SSH SIGNATURE-----
U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgBTEvCQk6VqUAdN2RuH6bj1dNkY
oOpbPWj+jw4ua1B1cAAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5
AAAAQP/wNyvE5IHdEa1TgakmUPKvwvFly6z93gt/czOuLyLiZc2uZ65ln83KiG9PcMEobs
efr8sNeBJZ34hefF5edg0=
-----END SSH SIGNATURE-----
diff --git a/nix/module.nix b/nix/module.nix
index aed867c7806f164d1524db64f02382d7678de6b0..7c39455d8b76224e234616434f83a1d2a5bb1f49 100644
--- a/nix/module.nix
+++ b/nix/module.nix
@@ -140,6 +140,33 @@ Group = instanceCfg.group;
Restart = "always";
RestartSec = "15";
WorkingDirectory = instanceCfg.homeDir;
+ ReadWritePaths = [ instanceCfg.homeDir ];
+ CapabilityBoundingSet = "";
+ NoNewPrivileges = true;
+ ProtectSystem = "strict";
+ ProtectHome = true;
+ PrivateTmp = true;
+ PrivateDevices = true;
+ PrivateUsers = true;
+ ProtectHostname = true;
+ ProtectClock = true;
+ ProtectKernelTunables = true;
+ ProtectKernelModules = true;
+ ProtectKernelLogs = true;
+ ProtectControlGroups = true;
+ RestrictAddressFamilies = [
+ "AF_UNIX"
+ "AF_INET"
+ "AF_INET6"
+ ];
+ RestrictNamespaces = true;
+ LockPersonality = true;
+ MemoryDenyWriteExecute = true;
+ RestrictRealtime = true;
+ RestrictSUIDSGID = true;
+ RemoveIPC = true;
+ PrivateMounts = true;
+ SystemCallArchitectures = "native";
ExecStart =
let
configFile = pkgs.writeText "ugit-${name}.yaml" (