diff --git a/hosts/common/default.nix b/hosts/common/default.nix index f6bf6f4..b8d657a 100644 --- a/hosts/common/default.nix +++ b/hosts/common/default.nix @@ -12,6 +12,7 @@ in { ./programs/ssh.nix ./programs/usbtop.nix + ./services/cups.nix ./services/dbus.nix ./services/openssh.nix ./services/pcscd.nix diff --git a/hosts/common/services/cups.nix b/hosts/common/services/cups.nix new file mode 100644 index 0000000..d4a9feb --- /dev/null +++ b/hosts/common/services/cups.nix @@ -0,0 +1,71 @@ +{ config, lib, ... }: +{ + systemd.services = lib.mkIf config.services.printing.enable { + cups.serviceConfig = { + PrivateTmp = true; + ProtectSystem = "strict"; + ProtectHome = true; + ProtectClock= true; + ProtectControlGroups = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + PrivateDevices = true; + NoNewPrivileges = true; + # User = + AmbientCapabilities = [ "" ]; + CapabilityBoundingSet = [ "" ]; + DevicePolicy = "closed"; + KeyringMode = "private"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + PrivateUsers = true; + RemoveIPC = true; + # RestrictAddressFamilies = [ "" ]; + RestrictNamespaces=true; + RestrictRealtime=true; + RestrictSUIDSGID=true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; + UMask = "0077"; + }; + cups-browsed.serviceConfig = { + PrivateTmp = true; + ProtectSystem = "strict"; + ProtectHome = true; + ProtectClock= true; + ProtectControlGroups = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + PrivateDevices = true; + NoNewPrivileges = true; + # User = + AmbientCapabilities = [ "" ]; + CapabilityBoundingSet = [ "" ]; + DevicePolicy = "closed"; + KeyringMode = "private"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + PrivateUsers = true; + RemoveIPC = true; + # RestrictAddressFamilies = [ "" ]; + RestrictNamespaces=true; + RestrictRealtime=true; + RestrictSUIDSGID=true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; + UMask = "0077"; + }; + }; +}