common/thermald: enable

2024-12-03 13:21:59 +01:00 · 2024-12-03 13:21:59 +01:00 · 020bc31713
commit 020bc31713
parent 8a41a97bbf
2 changed files with 47 additions and 0 deletions
--- a/hosts/common/default.nix
+++ b/hosts/common/default.nix
@ -22,6 +22,7 @@ in {
    ./services/resolved.nix
    ./services/smartd.nix
    ./services/systemd-lock-handler.nix
+    ./services/thermald.nix
    ./services/uptimed.nix
    ./services/userborn.nix
    ./services/xserver.nix
--- a/hosts/common/services/thermald.nix
+++ b/hosts/common/services/thermald.nix
@ -0,0 +1,46 @@
+{ config, lib, ... }:
+{
+  services.thermald.enable = true;
+
+    systemd.services.thermald = lib.mkIf config.services.thermald.enable {
+    documentation = [ "man:thermald(8)" "man:thermal-conf.xml(5)" ];
+    unitConfig.ConditionVirtualization = "no";
+
+    serviceConfig = {
+      PrivateUsers = true;
+      PrivateNetwork = true;
+
+      # AmbientCapabilities = [ "" ];
+      # CapabilityBoundingSet = [ "" ];
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      # PrivateDevices = true;
+      PrivateMounts = true;
+      PrivateTmp = "yes";
+      ProcSubset = "pid";
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true; #?
+      ProtectProc = "invisible"; #?
+      ProtectSystem = "strict";
+      RemoveIPC = true;
+      UMask = "0777";
+      RestrictNamespaces = true;
+      # RestrictRealtime = true; #?
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      SocketBindDeny = [ "any" ];
+      SystemCallFilter = [
+        "@system-service"
+        "~@privileged"
+        "~@resources"
+      ];
+    };
+  };
+}
+