etc

2025-02-10 14:51:16 +00:00 · 2025-02-10 14:51:16 +00:00 · 7036f5db2a
commit 7036f5db2a
parent 24b41c4faf
7 changed files with 1316 additions and 121 deletions
--- a/disable-systemd-security.nix
+++ b/disable-systemd-security.nix
@ -1,101 +1,139 @@
-{...}: {            
-              # who needs security lmao
-              systemd.services.systemd-journald = {
-                serviceConfig = {
-                  DeviceAllow = "";
-                  IPAddressDeny = "";
-                  LockPersonality = "no";
-                  MemoryDenyWriteExecute = "no";
-                  NoNewPrivileges = "no";
-                  ProtectClock = "no";
-                  RestrictAddressFamilies = "";
-                  RestrictNamespaces = "";
-                  RestrictRealtime = "no";
-                  RestrictSUIDSGID = "no";
-                };
-              };
-              systemd.services.systemd-udevd = {
-                serviceConfig = {
-                  DeviceAllow = "";
-                  IPAddressDeny = "";
-                  LockPersonality = "no";
-                  MemoryDenyWriteExecute = "no";
-                  NoNewPrivileges = "no";
-                  ProtectClock = "no";
-                  RestrictAddressFamilies = "";
-                  RestrictNamespaces = "";
-                  RestrictRealtime = "no";
-                  RestrictSUIDSGID = "no";
-                };
-              };
-              systemd.services.systemd-oomd = {
-                serviceConfig = {
-                  DeviceAllow = "";
-                  IPAddressDeny = "";
-                  LockPersonality = "no";
-                  MemoryDenyWriteExecute = "no";
-                  NoNewPrivileges = "no";
-                  ProtectClock = "no";
-                  RestrictAddressFamilies = "";
-                  RestrictNamespaces = "";
-                  RestrictRealtime = "no";
-                  RestrictSUIDSGID = "no";
-                };
-              };
-              systemd.services.systemd-timesyncd = {
-                serviceConfig = {
-                  DeviceAllow = "";
-                  IPAddressDeny = "";
-                  LockPersonality = "no";
-                  MemoryDenyWriteExecute = "no";
-                  NoNewPrivileges = "no";
-                  ProtectClock = "no";
-                  RestrictAddressFamilies = "";
-                  RestrictNamespaces = "";
-                  RestrictRealtime = "no";
-                  RestrictSUIDSGID = "no";
-                };
-              };
-              systemd.services.systemd-logind = {
-                serviceConfig = {
-                  DeviceAllow = "";
-                  IPAddressDeny = "";
-                  LockPersonality = "no";
-                  MemoryDenyWriteExecute = "no";
-                  NoNewPrivileges = "no";
-                  ProtectClock = "no";
-                  RestrictAddressFamilies = "";
-                  RestrictNamespaces = "";
-                  RestrictRealtime = "no";
-                  RestrictSUIDSGID = "no";
-                };
-              };
-              systemd.services.dhcpcd = {
-                serviceConfig = {
-                  DeviceAllow = lib.mkForce "";
-                  IPAddressDeny = lib.mkForce "";
-                  LockPersonality = lib.mkForce false;
-                  MemoryDenyWriteExecute = lib.mkForce "no";
-                  NoNewPrivileges = lib.mkForce "no";
-                  ProtectClock = lib.mkForce "no";
-                  RestrictAddressFamilies = lib.mkForce "";
-                  RestrictNamespaces = lib.mkForce "";
-                  RestrictRealtime = lib.mkForce "no";
-                  RestrictSUIDSGID = lib.mkForce "no";
-                };
-              };
-              systemd.services.nginx = {
-                serviceConfig = {
-                  DeviceAllow = lib.mkForce "";
-                  IPAddressDeny = lib.mkForce "";
-                  LockPersonality = lib.mkForce false;
-                  MemoryDenyWriteExecute = lib.mkForce "no";
-                  NoNewPrivileges = lib.mkForce "no";
-                  ProtectClock = lib.mkForce "no";
-                  RestrictAddressFamilies = lib.mkForce "";
-                  RestrictNamespaces = lib.mkForce "";
-                  RestrictRealtime = lib.mkForce "no";
-                  RestrictSUIDSGID = lib.mkForce "no";
-                };
-              };
-}
+{ lib, ... }:
+{
+  # who needs security lmao
+  systemd.services.systemd-journald = {
+    serviceConfig = {
+      DeviceAllow = lib.mkForce "";
+      IPAddressDeny = lib.mkForce "";
+      LockPersonality = lib.mkForce "no";
+      MemoryDenyWriteExecute = lib.mkForce "no";
+      NoNewPrivileges = lib.mkForce "no";
+      ProtectClock = lib.mkForce "no";
+      RestrictAddressFamilies = lib.mkForce "";
+      RestrictNamespaces = lib.mkForce "";
+      RestrictRealtime = lib.mkForce "no";
+      RestrictSUIDSGID = lib.mkForce "no";
+      SystemCallFilter = lib.mkForce "";
+    };
+  };
+  systemd.services.systemd-udevd = {
+    serviceConfig = {
+      DeviceAllow = lib.mkForce "";
+      IPAddressDeny = lib.mkForce "";
+      LockPersonality = lib.mkForce "no";
+      MemoryDenyWriteExecute = lib.mkForce "no";
+      NoNewPrivileges = lib.mkForce "no";
+      ProtectClock = lib.mkForce "no";
+      RestrictAddressFamilies = lib.mkForce "";
+      RestrictNamespaces = lib.mkForce "";
+      RestrictRealtime = lib.mkForce "no";
+      RestrictSUIDSGID = lib.mkForce "no";
+      SystemCallFilter = lib.mkForce "";
+    };
+  };
+  systemd.services.systemd-oomd = {
+    serviceConfig = {
+      DeviceAllow = lib.mkForce "";
+      IPAddressDeny = lib.mkForce "";
+      LockPersonality = lib.mkForce "no";
+      MemoryDenyWriteExecute = lib.mkForce "no";
+      NoNewPrivileges = lib.mkForce "no";
+      ProtectClock = lib.mkForce "no";
+      RestrictAddressFamilies = lib.mkForce "";
+      RestrictNamespaces = lib.mkForce "";
+      RestrictRealtime = lib.mkForce "no";
+      RestrictSUIDSGID = lib.mkForce "no";
+      SystemCallFilter = lib.mkForce "";
+    };
+  };
+  systemd.services.systemd-timesyncd = {
+    serviceConfig = {
+      DeviceAllow = lib.mkForce "";
+      IPAddressDeny = lib.mkForce "";
+      LockPersonality = lib.mkForce "no";
+      MemoryDenyWriteExecute = lib.mkForce "no";
+      NoNewPrivileges = lib.mkForce "no";
+      ProtectClock = lib.mkForce "no";
+      RestrictAddressFamilies = lib.mkForce "";
+      RestrictNamespaces = lib.mkForce "";
+      RestrictRealtime = lib.mkForce "no";
+      RestrictSUIDSGID = lib.mkForce "no";
+      SystemCallFilter = lib.mkForce "";
+    };
+  };
+  systemd.services.systemd-timedated = {
+    serviceConfig = {
+      DeviceAllow = lib.mkForce "";
+      IPAddressDeny = lib.mkForce "";
+      LockPersonality = lib.mkForce "no";
+      MemoryDenyWriteExecute = lib.mkForce "no";
+      NoNewPrivileges = lib.mkForce "no";
+      ProtectClock = lib.mkForce "no";
+      RestrictAddressFamilies = lib.mkForce "";
+      RestrictNamespaces = lib.mkForce "";
+      RestrictRealtime = lib.mkForce "no";
+      RestrictSUIDSGID = lib.mkForce "no";
+      SystemCallFilter = lib.mkForce "";
+    };
+  };
+  systemd.services.systemd-hostnamed = {
+    serviceConfig = {
+      DeviceAllow = lib.mkForce "";
+      IPAddressDeny = lib.mkForce "";
+      LockPersonality = lib.mkForce "no";
+      MemoryDenyWriteExecute = lib.mkForce "no";
+      NoNewPrivileges = lib.mkForce "no";
+      ProtectClock = lib.mkForce "no";
+      RestrictAddressFamilies = lib.mkForce "";
+      RestrictNamespaces = lib.mkForce "";
+      RestrictRealtime = lib.mkForce "no";
+      RestrictSUIDSGID = lib.mkForce "no";
+      SystemCallFilter = lib.mkForce "";
+    };
+  };
+  systemd.services.systemd-logind = {
+    serviceConfig = {
+      DeviceAllow = lib.mkForce "";
+      IPAddressDeny = lib.mkForce "";
+      LockPersonality = lib.mkForce "no";
+      MemoryDenyWriteExecute = lib.mkForce "no";
+      NoNewPrivileges = lib.mkForce "no";
+      ProtectClock = lib.mkForce "no";
+      RestrictAddressFamilies = lib.mkForce "";
+      RestrictNamespaces = lib.mkForce "";
+      RestrictRealtime = lib.mkForce "no";
+      RestrictSUIDSGID = lib.mkForce "no";
+      SystemCallFilter = lib.mkForce "";
+    };
+  };
+  systemd.services.dhcpcd = {
+    serviceConfig = {
+      DeviceAllow = lib.mkForce "";
+      IPAddressDeny = lib.mkForce "";
+      LockPersonality = lib.mkForce false;
+      MemoryDenyWriteExecute = lib.mkForce "no";
+      NoNewPrivileges = lib.mkForce "no";
+      ProtectClock = lib.mkForce "no";
+      RestrictAddressFamilies = lib.mkForce "";
+      RestrictNamespaces = lib.mkForce "";
+      RestrictRealtime = lib.mkForce "no";
+      RestrictSUIDSGID = lib.mkForce "no";
+      SystemCallFilter = lib.mkForce "";
+    };
+  };
+  systemd.services.nginx = {
+    serviceConfig = {
+      DeviceAllow = lib.mkForce "";
+      IPAddressDeny = lib.mkForce "";
+      LockPersonality = lib.mkForce false;
+      MemoryDenyWriteExecute = lib.mkForce "no";
+      NoNewPrivileges = lib.mkForce "no";
+      ProtectClock = lib.mkForce "no";
+      RestrictAddressFamilies = lib.mkForce "";
+      RestrictNamespaces = lib.mkForce "";
+      RestrictRealtime = lib.mkForce "no";
+      RestrictSUIDSGID = lib.mkForce "no";
+      SystemCallFilter = lib.mkForce "";
+    };
+  };
+}