treewide: update to nixos 23.11

2023-12-18 20:59:48 +01:00
parent fe30e15f5b
commit 3a52ba8901
9 changed files with 71 additions and 122 deletions
--- a/hosts/tsuki/configuration.nix
+++ b/hosts/tsuki/configuration.nix
@@ -82,6 +82,7 @@
    };
    groups = {
      media = {};
+      nix-builder = {};
    };
  };

--- a/hosts/tsuki/services/atuin.nix
+++ b/hosts/tsuki/services/atuin.nix
@@ -8,43 +8,7 @@ in
    openRegistration = false;
  };

-  systemd.services.atuin = {
-    requires = [ "postgresql.service" ];
-    serviceConfig = {
-      # Hardening
-      CapabilityBoundingSet = "";
-      LockPersonality = true;
-      NoNewPrivileges = true;
-      PrivateDevices = true;
-      PrivateMounts = true;
-      PrivateTmp = true;
-      PrivateUsers = true;
-      ProcSubset = "pid";
-      ProtectClock = true;
-      ProtectControlGroups = true;
-      ProtectHome = true;
-      ProtectHostname = true;
-      ProtectKernelLogs = true;
-      ProtectKernelModules = true;
-      ProtectKernelTunables = true;
-      ProtectProc = "invisible";
-      ProtectSystem = "full";
-      RemoveIPC = true;
-      RestrictAddressFamilies = [
-        "AF_INET"
-        "AF_INET6"
-        # Required for connecting to database sockets,
-        # and listening to unix socket at `cfg.settings.path`
-        "AF_UNIX"
-      ];
-      RestrictNamespaces = true;
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true;
-      SystemCallArchitectures = "native";
-      SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap @privileged";
-      UMask = "0007";
-    };
-  };
+  systemd.services.atuin.requires = [ "postgresql.service" ];

  local.socketActivation.atuin = {
    enable = cfg.enable;