diff --git a/nixos/modules/security/hidepid.nix b/nixos/modules/security/hidepid.nix
index 8f2df380cfe..ee351eb8447 100644
--- a/nixos/modules/security/hidepid.nix
+++ b/nixos/modules/security/hidepid.nix
@@ -2,19 +2,19 @@
with lib;
{
- options = {
- security.hideProcessInformation = mkEnableOption "" // { description = ''
- Restrict access to process information to the owning user. Enabling
- this option implies, among other things, that command-line arguments
- remain private. This option is recommended for most systems, unless
- there's a legitimate reason for allowing unprivileged users to inspect
- the process information of other users.
+ meta = {
+ maintainers = [ maintainers.joachifm ];
+ doc = ./hidepid.xml;
+ };
- Members of the group "proc" are exempt from process information hiding.
- To allow a service to run without process information hiding, add "proc"
- to its supplementary groups via
- .
- ''; };
+ options = {
+ security.hideProcessInformation = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Restrict process information to the owning user.
+ '';
+ };
};
config = mkIf config.security.hideProcessInformation {
diff --git a/nixos/modules/security/hidepid.xml b/nixos/modules/security/hidepid.xml
new file mode 100644
index 00000000000..5715ee7ac16
--- /dev/null
+++ b/nixos/modules/security/hidepid.xml
@@ -0,0 +1,33 @@
+
+
+ Hiding process information
+
+
+ Setting
+
+ security.hideProcessInformation = true;
+
+ ensures that access to process information is restricted to the
+ owning user. This implies, among other things, that command-line
+ arguments remain private. Unless your deployment relies on unprivileged
+ users being able to inspect the process information of other users, this
+ option should be safe to enable.
+
+
+
+ Members of the proc group are exempt from process
+ information hiding.
+
+
+
+ To allow a service foo to run without process information hiding, set
+
+ systemd.services.foo.serviceConfig.SupplementaryGroups = [ "proc" ];
+
+
+
+