From 8f25a59324a6fc333a6b5d15bbda817346cf16c0 Mon Sep 17 00:00:00 2001
From: niten <niten@fudo.org>
Date: Thu, 12 Jan 2023 11:15:43 -0800
Subject: [PATCH] Harden the module service.

---
 objectifier-module.nix | 34 +++++++++++++++++-----------------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/objectifier-module.nix b/objectifier-module.nix
index a90d8b0..3b2b911 100644
--- a/objectifier-module.nix
+++ b/objectifier-module.nix
@@ -65,23 +65,23 @@ in {
         OBJECTIFIER_CLEANUP_DELAY = toString cfg.cleanup.delay;
       };
       serviceConfig = {
-        # PrivateUsers = true;
-        # PrivateDevices = true;
-        # PrivateTmp = true;
-        # PrivateMounts = true;
-        # ProtectControlGroups = true;
-        # ProtectKernelTunables = true;
-        # ProtectKernelModules = true;
-        # ProtectSystem = true;
-        # ProtectHostname = true;
-        # ProtectHome = true;
-        # ProtectClock = true;
-        # ProtectKernelLogs = true;
-        # DynamicUser = true;
-        # MemoryDenyWriteExecute = true;
-        # RestrictRealtime = true;
-        # LockPersonality = true;
-        # PermissionsStartOnly = true;
+        PrivateUsers = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        PrivateMounts = true;
+        ProtectControlGroups = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectSystem = true;
+        ProtectHostname = true;
+        ProtectHome = true;
+        ProtectClock = true;
+        ProtectKernelLogs = true;
+        DynamicUser = true;
+        MemoryDenyWriteExecute = true;
+        RestrictRealtime = true;
+        LockPersonality = true;
+        PermissionsStartOnly = true;
         WorkingDirectory = "${pkgs.objectifier}";
         StateDirectory = "objectifier";
         CacheDirectory = "objectifier";