From cb5aaf3efc7db7174986472449df43fe4be87e7c Mon Sep 17 00:00:00 2001
From: niten <niten@fudo.org>
Date: Sun, 22 Jan 2023 16:17:03 -0800
Subject: [PATCH] Okay, now lock some stuff

---
 objectifier-module.nix | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/objectifier-module.nix b/objectifier-module.nix
index a90d8b0..769b6e1 100644
--- a/objectifier-module.nix
+++ b/objectifier-module.nix
@@ -65,21 +65,21 @@ in {
         OBJECTIFIER_CLEANUP_DELAY = toString cfg.cleanup.delay;
       };
       serviceConfig = {
-        # PrivateUsers = true;
-        # PrivateDevices = true;
-        # PrivateTmp = true;
-        # PrivateMounts = true;
-        # ProtectControlGroups = true;
-        # ProtectKernelTunables = true;
-        # ProtectKernelModules = true;
-        # ProtectSystem = true;
-        # ProtectHostname = true;
-        # ProtectHome = true;
-        # ProtectClock = true;
-        # ProtectKernelLogs = true;
-        # DynamicUser = true;
-        # MemoryDenyWriteExecute = true;
-        # RestrictRealtime = true;
+        PrivateUsers = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        PrivateMounts = true;
+        ProtectControlGroups = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectSystem = true;
+        ProtectHostname = true;
+        ProtectHome = true;
+        ProtectClock = true;
+        ProtectKernelLogs = true;
+        DynamicUser = true;
+        MemoryDenyWriteExecute = true;
+        RestrictRealtime = true;
         # LockPersonality = true;
         # PermissionsStartOnly = true;
         WorkingDirectory = "${pkgs.objectifier}";