Clean up systemd sandbox config

nyonson · nyonson · commit ac3c573ed457 · 2025-11-21T10:02:21.000-08:00
diff --git a/flake.nix b/flake.nix
@@ -164,23 +164,17 @@
                 Group = cfg.group;
                 WorkingDirectory = cfg.dataDir;
 
-                PrivateTmp = true;
+                # Essential security.
                 ProtectSystem = "strict";
                 ProtectHome = true;
                 ReadWritePaths = [ cfg.dataDir ];
-                NoNewPrivileges = true;
-                RestrictNamespaces = true;
-                RestrictRealtime = true;
-                RestrictSUIDSGID = true;
-                LockPersonality = true;
-                ProtectClock = true;
-                ProtectHostname = true;
-                ProtectKernelLogs = true;
-                ProtectKernelModules = true;
-                ProtectKernelTunables = true;
-                ProtectControlGroups = true;
+
+                # Network restrictions.
                 RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
-                SystemCallFilter = [ "@system-service" "~@privileged" ];
+
+                # Basic hardening.
+                NoNewPrivileges = true;
+                PrivateTmp = true;
               };
 
               preStart = optionalString cfg.web.enable ''
