From 547697c231279a53226f0a13b44351407cbff5e0 Mon Sep 17 00:00:00 2001
From: Reinout Meliesie <zedfrigg@kernelmaft.com>
Date: Tue, 4 Mar 2025 18:09:13 +0100
Subject: [PATCH] Enable simple sandboxing in Bookwyrm systemd unit

---
 packages/bookwyrm/nixos-module.nix | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/packages/bookwyrm/nixos-module.nix b/packages/bookwyrm/nixos-module.nix
index 42049e5..96849ae 100644
--- a/packages/bookwyrm/nixos-module.nix
+++ b/packages/bookwyrm/nixos-module.nix
@@ -24,6 +24,21 @@ with pkgs . kernelmaft ;
 
 					User=bookwyrm
 					Group=bookwyrm
+
+					ProtectSystem=strict
+					ProtectHome=tmpfs
+					PrivateTmp=disconnected
+					PrivateDevices=true
+					PrivateIPC=true
+					ProtectHostname=true
+					ProtectClock=true
+					ProtectKernelTunables=true
+					ProtectKernelModules=true
+					ProtectControlGroups=strict
+					RestrictNamespaces=true
+					LockPersonality=true
+					RestrictRealtime=true
+					RestrictSUIDSGID=true
 				'' ;
 			} ;
 		} ;