From 51d9ac16f027453fe0c1fed7e1c6f37f4967bd0e Mon Sep 17 00:00:00 2001
From: arcnmx <git@git.arcn.mx>
Date: Thu, 27 Jun 2024 14:22:38 -0700
Subject: [PATCH] chore(syncplay): service hardening

---
 modules/nixos/syncplay.nix | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/modules/nixos/syncplay.nix b/modules/nixos/syncplay.nix
index 89fa31a0..6de87a37 100644
--- a/modules/nixos/syncplay.nix
+++ b/modules/nixos/syncplay.nix
@@ -76,6 +76,15 @@ in {
           "${cfg.certDir}"
         ])
       ];
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      PrivateMounts = true;
+      PrivateTmp = true;
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectControlGroups = true;
+      ProtectProc = "invisible";
+      RemoveIPC = true;
     };
   };
 }