| 
									
										
										
										
											2018-07-20 20:56:59 +00:00
										 |  |  | { config, lib, ... }: | 
					
						
							| 
									
										
										
										
											2016-04-09 20:22:16 +02:00
										 |  |  | with lib; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | { | 
					
						
							| 
									
										
										
										
											2016-09-15 15:23:52 +02:00
										 |  |  |   meta = { | 
					
						
							|  |  |  |     maintainers = [ maintainers.joachifm ]; | 
					
						
							|  |  |  |     doc = ./hidepid.xml; | 
					
						
							|  |  |  |   }; | 
					
						
							| 
									
										
										
										
											2016-04-09 20:22:16 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2016-09-15 15:23:52 +02:00
										 |  |  |   options = { | 
					
						
							|  |  |  |     security.hideProcessInformation = mkOption { | 
					
						
							|  |  |  |       type = types.bool; | 
					
						
							|  |  |  |       default = false; | 
					
						
							|  |  |  |       description = ''
 | 
					
						
							|  |  |  |         Restrict process information to the owning user. | 
					
						
							|  |  |  |       '';
 | 
					
						
							|  |  |  |     }; | 
					
						
							| 
									
										
										
										
											2016-04-09 20:22:16 +02:00
										 |  |  |   }; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   config = mkIf config.security.hideProcessInformation { | 
					
						
							|  |  |  |     users.groups.proc.gid = config.ids.gids.proc; | 
					
						
							| 
									
										
										
										
											2016-11-29 02:16:15 +01:00
										 |  |  |     users.groups.proc.members = [ "polkituser" ]; | 
					
						
							| 
									
										
										
										
											2016-04-09 20:22:16 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2016-08-31 17:16:30 +03:00
										 |  |  |     boot.specialFileSystems."/proc".options = [ "hidepid=2" "gid=${toString config.ids.gids.proc}" ]; | 
					
						
							| 
									
										
										
										
											2016-11-29 02:16:15 +01:00
										 |  |  |     systemd.services.systemd-logind.serviceConfig.SupplementaryGroups = [ "proc" ]; | 
					
						
							| 
									
										
										
										
											2016-04-09 20:22:16 +02:00
										 |  |  |   }; | 
					
						
							|  |  |  | } |