co2_exporter: Actually apply systemd sandboxing

I don’t know how that FIXME could be in there for so long.
2023-02-15 12:01:46 +01:00 · 2023-02-15 12:01:46 +01:00 · f59ba624ba
parent 42a22e89b7
commit f59ba624ba
1 changed files with 6 additions and 1 deletions
--- a/pkgs/co2_exporter/module.nix
+++ b/pkgs/co2_exporter/module.nix
@ -38,7 +38,12 @@ in

        # systemd-analyze --no-pager security co2_exporter.service
        DynamicUser = true;
-        # FIXME
+        CapabilityBoundingSet = null;
+        PrivateUsers = true;
+        ProtectHome = true;
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+        RestrictNamespaces = true;
+        SystemCallFilter = "@system-service";
      };
    };
  };