{ lib, ... }: { # who needs security lmao systemd.services.systemd-journald = { serviceConfig = { DeviceAllow = lib.mkForce ""; IPAddressDeny = lib.mkForce ""; LockPersonality = lib.mkForce "no"; MemoryDenyWriteExecute = lib.mkForce "no"; NoNewPrivileges = lib.mkForce "no"; ProtectClock = lib.mkForce "no"; RestrictAddressFamilies = lib.mkForce ""; RestrictNamespaces = lib.mkForce ""; RestrictRealtime = lib.mkForce "no"; RestrictSUIDSGID = lib.mkForce "no"; SystemCallFilter = lib.mkForce ""; }; }; systemd.services.systemd-udevd = { serviceConfig = { DeviceAllow = lib.mkForce ""; IPAddressDeny = lib.mkForce ""; LockPersonality = lib.mkForce "no"; MemoryDenyWriteExecute = lib.mkForce "no"; NoNewPrivileges = lib.mkForce "no"; ProtectClock = lib.mkForce "no"; RestrictAddressFamilies = lib.mkForce ""; RestrictNamespaces = lib.mkForce ""; RestrictRealtime = lib.mkForce "no"; RestrictSUIDSGID = lib.mkForce "no"; SystemCallFilter = lib.mkForce ""; }; }; systemd.services.systemd-oomd = { serviceConfig = { DeviceAllow = lib.mkForce ""; IPAddressDeny = lib.mkForce ""; LockPersonality = lib.mkForce "no"; MemoryDenyWriteExecute = lib.mkForce "no"; NoNewPrivileges = lib.mkForce "no"; ProtectClock = lib.mkForce "no"; RestrictAddressFamilies = lib.mkForce ""; RestrictNamespaces = lib.mkForce ""; RestrictRealtime = lib.mkForce "no"; RestrictSUIDSGID = lib.mkForce "no"; SystemCallFilter = lib.mkForce ""; }; }; systemd.services.systemd-timesyncd = { serviceConfig = { DeviceAllow = lib.mkForce ""; IPAddressDeny = lib.mkForce ""; LockPersonality = lib.mkForce "no"; MemoryDenyWriteExecute = lib.mkForce "no"; NoNewPrivileges = lib.mkForce "no"; ProtectClock = lib.mkForce "no"; RestrictAddressFamilies = lib.mkForce ""; RestrictNamespaces = lib.mkForce ""; RestrictRealtime = lib.mkForce "no"; RestrictSUIDSGID = lib.mkForce "no"; SystemCallFilter = lib.mkForce ""; }; }; systemd.services.systemd-timedated = { serviceConfig = { DeviceAllow = lib.mkForce ""; IPAddressDeny = lib.mkForce ""; LockPersonality = lib.mkForce "no"; MemoryDenyWriteExecute = lib.mkForce "no"; NoNewPrivileges = lib.mkForce "no"; ProtectClock = lib.mkForce "no"; RestrictAddressFamilies = lib.mkForce ""; RestrictNamespaces = lib.mkForce ""; RestrictRealtime = lib.mkForce "no"; RestrictSUIDSGID = lib.mkForce "no"; SystemCallFilter = lib.mkForce ""; }; }; systemd.services.systemd-hostnamed = { serviceConfig = { DeviceAllow = lib.mkForce ""; IPAddressDeny = lib.mkForce ""; LockPersonality = lib.mkForce "no"; MemoryDenyWriteExecute = lib.mkForce "no"; NoNewPrivileges = lib.mkForce "no"; ProtectClock = lib.mkForce "no"; RestrictAddressFamilies = lib.mkForce ""; RestrictNamespaces = lib.mkForce ""; RestrictRealtime = lib.mkForce "no"; RestrictSUIDSGID = lib.mkForce "no"; SystemCallFilter = lib.mkForce ""; }; }; systemd.services.systemd-logind = { serviceConfig = { DeviceAllow = lib.mkForce ""; IPAddressDeny = lib.mkForce ""; LockPersonality = lib.mkForce "no"; MemoryDenyWriteExecute = lib.mkForce "no"; NoNewPrivileges = lib.mkForce "no"; ProtectClock = lib.mkForce "no"; RestrictAddressFamilies = lib.mkForce ""; RestrictNamespaces = lib.mkForce ""; RestrictRealtime = lib.mkForce "no"; RestrictSUIDSGID = lib.mkForce "no"; SystemCallFilter = lib.mkForce ""; }; }; systemd.services.dhcpcd = { serviceConfig = { DeviceAllow = lib.mkForce ""; IPAddressDeny = lib.mkForce ""; LockPersonality = lib.mkForce false; MemoryDenyWriteExecute = lib.mkForce "no"; NoNewPrivileges = lib.mkForce "no"; ProtectClock = lib.mkForce "no"; RestrictAddressFamilies = lib.mkForce ""; RestrictNamespaces = lib.mkForce ""; RestrictRealtime = lib.mkForce "no"; RestrictSUIDSGID = lib.mkForce "no"; SystemCallFilter = lib.mkForce ""; }; }; systemd.services.nginx = { serviceConfig = { DeviceAllow = lib.mkForce ""; IPAddressDeny = lib.mkForce ""; LockPersonality = lib.mkForce false; MemoryDenyWriteExecute = lib.mkForce "no"; NoNewPrivileges = lib.mkForce "no"; ProtectClock = lib.mkForce "no"; RestrictAddressFamilies = lib.mkForce ""; RestrictNamespaces = lib.mkForce ""; RestrictRealtime = lib.mkForce "no"; RestrictSUIDSGID = lib.mkForce "no"; SystemCallFilter = lib.mkForce ""; }; }; }