stary/nix-powerpc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

initial snapshot

Browse source
This commit is contained in:
Chloe Bethel 2025-02-10 11:47:09 +00:00
commit 24b41c4faf
16 changed files with 452 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

101
disable-systemd-security.nix Normal file
View file

@ -0,0 +1,101 @@
{...}: {
# who needs security lmao
systemd.services.systemd-journald = {
serviceConfig = {
DeviceAllow = "";
IPAddressDeny = "";
LockPersonality = "no";
MemoryDenyWriteExecute = "no";
NoNewPrivileges = "no";
ProtectClock = "no";
RestrictAddressFamilies = "";
RestrictNamespaces = "";
RestrictRealtime = "no";
RestrictSUIDSGID = "no";
};
};
systemd.services.systemd-udevd = {
serviceConfig = {
DeviceAllow = "";
IPAddressDeny = "";
LockPersonality = "no";
MemoryDenyWriteExecute = "no";
NoNewPrivileges = "no";
ProtectClock = "no";
RestrictAddressFamilies = "";
RestrictNamespaces = "";
RestrictRealtime = "no";
RestrictSUIDSGID = "no";
};
};
systemd.services.systemd-oomd = {
serviceConfig = {
DeviceAllow = "";
IPAddressDeny = "";
LockPersonality = "no";
MemoryDenyWriteExecute = "no";
NoNewPrivileges = "no";
ProtectClock = "no";
RestrictAddressFamilies = "";
RestrictNamespaces = "";
RestrictRealtime = "no";
RestrictSUIDSGID = "no";
};
};
systemd.services.systemd-timesyncd = {
serviceConfig = {
DeviceAllow = "";
IPAddressDeny = "";
LockPersonality = "no";
MemoryDenyWriteExecute = "no";
NoNewPrivileges = "no";
ProtectClock = "no";
RestrictAddressFamilies = "";
RestrictNamespaces = "";
RestrictRealtime = "no";
RestrictSUIDSGID = "no";
};
};
systemd.services.systemd-logind = {
serviceConfig = {
DeviceAllow = "";
IPAddressDeny = "";
LockPersonality = "no";
MemoryDenyWriteExecute = "no";
NoNewPrivileges = "no";
ProtectClock = "no";
RestrictAddressFamilies = "";
RestrictNamespaces = "";
RestrictRealtime = "no";
RestrictSUIDSGID = "no";
};
};
systemd.services.dhcpcd = {
serviceConfig = {
DeviceAllow = lib.mkForce "";
IPAddressDeny = lib.mkForce "";
LockPersonality = lib.mkForce false;
MemoryDenyWriteExecute = lib.mkForce "no";
NoNewPrivileges = lib.mkForce "no";
ProtectClock = lib.mkForce "no";
RestrictAddressFamilies = lib.mkForce "";
RestrictNamespaces = lib.mkForce "";
RestrictRealtime = lib.mkForce "no";
RestrictSUIDSGID = lib.mkForce "no";
};
};
systemd.services.nginx = {
serviceConfig = {
DeviceAllow = lib.mkForce "";
IPAddressDeny = lib.mkForce "";
LockPersonality = lib.mkForce false;
MemoryDenyWriteExecute = lib.mkForce "no";
NoNewPrivileges = lib.mkForce "no";
ProtectClock = lib.mkForce "no";
RestrictAddressFamilies = lib.mkForce "";
RestrictNamespaces = lib.mkForce "";
RestrictRealtime = lib.mkForce "no";
RestrictSUIDSGID = lib.mkForce "no";
};
};
}