nix-powerpc/disable-systemd-security.nix

{ lib, ... }:
{
  # who needs security lmao
  systemd.services.systemd-journald = {
    serviceConfig = {
      DeviceAllow = lib.mkForce "";
      IPAddressDeny = lib.mkForce "";
      LockPersonality = lib.mkForce "no";
      MemoryDenyWriteExecute = lib.mkForce "no";
      NoNewPrivileges = lib.mkForce "no";
      ProtectClock = lib.mkForce "no";
      RestrictAddressFamilies = lib.mkForce "";
      RestrictNamespaces = lib.mkForce "";
      RestrictRealtime = lib.mkForce "no";
      RestrictSUIDSGID = lib.mkForce "no";
      SystemCallFilter = lib.mkForce "";
    };
  };
  systemd.services.systemd-udevd = {
    serviceConfig = {
      DeviceAllow = lib.mkForce "";
      IPAddressDeny = lib.mkForce "";
      LockPersonality = lib.mkForce "no";
      MemoryDenyWriteExecute = lib.mkForce "no";
      NoNewPrivileges = lib.mkForce "no";
      ProtectClock = lib.mkForce "no";
      RestrictAddressFamilies = lib.mkForce "";
      RestrictNamespaces = lib.mkForce "";
      RestrictRealtime = lib.mkForce "no";
      RestrictSUIDSGID = lib.mkForce "no";
      SystemCallFilter = lib.mkForce "";
    };
  };
  systemd.services.systemd-oomd = {
    serviceConfig = {
      DeviceAllow = lib.mkForce "";
      IPAddressDeny = lib.mkForce "";
      LockPersonality = lib.mkForce "no";
      MemoryDenyWriteExecute = lib.mkForce "no";
      NoNewPrivileges = lib.mkForce "no";
      ProtectClock = lib.mkForce "no";
      RestrictAddressFamilies = lib.mkForce "";
      RestrictNamespaces = lib.mkForce "";
      RestrictRealtime = lib.mkForce "no";
      RestrictSUIDSGID = lib.mkForce "no";
      SystemCallFilter = lib.mkForce "";
    };
  };
  systemd.services.systemd-timesyncd = {
    serviceConfig = {
      DeviceAllow = lib.mkForce "";
      IPAddressDeny = lib.mkForce "";
      LockPersonality = lib.mkForce "no";
      MemoryDenyWriteExecute = lib.mkForce "no";
      NoNewPrivileges = lib.mkForce "no";
      ProtectClock = lib.mkForce "no";
      RestrictAddressFamilies = lib.mkForce "";
      RestrictNamespaces = lib.mkForce "";
      RestrictRealtime = lib.mkForce "no";
      RestrictSUIDSGID = lib.mkForce "no";
      SystemCallFilter = lib.mkForce "";
    };
  };
  systemd.services.systemd-timedated = {
    serviceConfig = {
      DeviceAllow = lib.mkForce "";
      IPAddressDeny = lib.mkForce "";
      LockPersonality = lib.mkForce "no";
      MemoryDenyWriteExecute = lib.mkForce "no";
      NoNewPrivileges = lib.mkForce "no";
      ProtectClock = lib.mkForce "no";
      RestrictAddressFamilies = lib.mkForce "";
      RestrictNamespaces = lib.mkForce "";
      RestrictRealtime = lib.mkForce "no";
      RestrictSUIDSGID = lib.mkForce "no";
      SystemCallFilter = lib.mkForce "";
    };
  };
  systemd.services.systemd-hostnamed = {
    serviceConfig = {
      DeviceAllow = lib.mkForce "";
      IPAddressDeny = lib.mkForce "";
      LockPersonality = lib.mkForce "no";
      MemoryDenyWriteExecute = lib.mkForce "no";
      NoNewPrivileges = lib.mkForce "no";
      ProtectClock = lib.mkForce "no";
      RestrictAddressFamilies = lib.mkForce "";
      RestrictNamespaces = lib.mkForce "";
      RestrictRealtime = lib.mkForce "no";
      RestrictSUIDSGID = lib.mkForce "no";
      SystemCallFilter = lib.mkForce "";
    };
  };
  systemd.services.systemd-logind = {
    serviceConfig = {
      DeviceAllow = lib.mkForce "";
      IPAddressDeny = lib.mkForce "";
      LockPersonality = lib.mkForce "no";
      MemoryDenyWriteExecute = lib.mkForce "no";
      NoNewPrivileges = lib.mkForce "no";
      ProtectClock = lib.mkForce "no";
      RestrictAddressFamilies = lib.mkForce "";
      RestrictNamespaces = lib.mkForce "";
      RestrictRealtime = lib.mkForce "no";
      RestrictSUIDSGID = lib.mkForce "no";
      SystemCallFilter = lib.mkForce "";
    };
  };
  systemd.services.dhcpcd = {
    serviceConfig = {
      DeviceAllow = lib.mkForce "";
      IPAddressDeny = lib.mkForce "";
      LockPersonality = lib.mkForce false;
      MemoryDenyWriteExecute = lib.mkForce "no";
      NoNewPrivileges = lib.mkForce "no";
      ProtectClock = lib.mkForce "no";
      RestrictAddressFamilies = lib.mkForce "";
      RestrictNamespaces = lib.mkForce "";
      RestrictRealtime = lib.mkForce "no";
      RestrictSUIDSGID = lib.mkForce "no";
      SystemCallFilter = lib.mkForce "";
    };
  };
  systemd.services.nginx = {
    serviceConfig = {
      DeviceAllow = lib.mkForce "";
      IPAddressDeny = lib.mkForce "";
      LockPersonality = lib.mkForce false;
      MemoryDenyWriteExecute = lib.mkForce "no";
      NoNewPrivileges = lib.mkForce "no";
      ProtectClock = lib.mkForce "no";
      RestrictAddressFamilies = lib.mkForce "";
      RestrictNamespaces = lib.mkForce "";
      RestrictRealtime = lib.mkForce "no";
      RestrictSUIDSGID = lib.mkForce "no";
      SystemCallFilter = lib.mkForce "";
    };
  };
}