From f59ba624ba2d895a73930f2e2f2e6aa2c287846e Mon Sep 17 00:00:00 2001
From: Simon Bruder <simon@sbruder.de>
Date: Wed, 15 Feb 2023 12:01:46 +0100
Subject: [PATCH] co2_exporter: Actually apply systemd sandboxing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

I don’t know how that FIXME could be in there for so long.
---
 pkgs/co2_exporter/module.nix | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/pkgs/co2_exporter/module.nix b/pkgs/co2_exporter/module.nix
index a01312b..23f93ba 100644
--- a/pkgs/co2_exporter/module.nix
+++ b/pkgs/co2_exporter/module.nix
@@ -38,7 +38,12 @@ in
 
         # systemd-analyze --no-pager security co2_exporter.service
         DynamicUser = true;
-        # FIXME
+        CapabilityBoundingSet = null;
+        PrivateUsers = true;
+        ProtectHome = true;
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+        RestrictNamespaces = true;
+        SystemCallFilter = "@system-service";
       };
     };
   };