hosts/common/default.nix

@@ -12,9 +12,7 @@ in {
     ./programs/ssh.nix
     ./programs/usbtop.nix
 
-    ./services/cups.nix
     ./services/dbus.nix
-    ./services/logrotate.nix
     ./services/openssh.nix
     ./services/pcscd.nix
     ./services/pipewire.nix

hosts/common/services/cups.nix

@@ -1,71 +0,0 @@
-{ config, lib, ... }:
-{
-  systemd.services = lib.mkIf config.services.printing.enable {
-    cups.serviceConfig = {
-      PrivateTmp = true;
-      ProtectSystem = "strict";
-      ProtectHome = true;
-      ProtectClock= true;
-      ProtectControlGroups = true;
-      ProtectHostname = true; 
-      ProtectKernelLogs = true;
-      ProtectKernelModules = true;
-      ProtectKernelTunables = true;
-      ProtectProc = "invisible";
-      PrivateDevices = true;
-      NoNewPrivileges = true;
-      # User =
-      AmbientCapabilities = [ "" ];
-      CapabilityBoundingSet = [ "" ];
-      DevicePolicy = "closed";
-      KeyringMode = "private";
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      PrivateUsers = true;
-      RemoveIPC = true;
-      # RestrictAddressFamilies = [ "" ];
-      RestrictNamespaces=true;
-      RestrictRealtime=true;
-      RestrictSUIDSGID=true;
-      SystemCallArchitectures = "native";
-      SystemCallFilter = [
-        "@system-service"
-        "~@privileged"
-      ];
-      UMask = "0077";
-    };
-    cups-browsed.serviceConfig = {
-      PrivateTmp = true;
-      ProtectSystem = "strict";
-      ProtectHome = true;
-      ProtectClock= true;
-      ProtectControlGroups = true;
-      ProtectHostname = true;
-      ProtectKernelLogs = true;
-      ProtectKernelModules = true;
-      ProtectKernelTunables = true;
-      ProtectProc = "invisible";
-      PrivateDevices = true;
-      NoNewPrivileges = true;
-      # User =
-      AmbientCapabilities = [ "" ];
-      CapabilityBoundingSet = [ "" ];
-      DevicePolicy = "closed";
-      KeyringMode = "private";
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      PrivateUsers = true;
-      RemoveIPC = true;
-      # RestrictAddressFamilies = [ "" ];
-      RestrictNamespaces=true;
-      RestrictRealtime=true;
-      RestrictSUIDSGID=true;
-      SystemCallArchitectures = "native";
-      SystemCallFilter = [
-        "@system-service"
-        "~@privileged"
-      ];
-      UMask = "0077";
-    };
-  };
-}

hosts/common/services/logrotate.nix

@@ -1,42 +0,0 @@
-{ ... }:
-{
-  # source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service
-  systemd.services.logrotate = {
-    documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
-    unitConfig.RequiresMountsFor = "/var/log";
-    serviceConfig = {
-      Nice = 19;
-      IOSchedulingClass = "best-effort";
-      IOSchedulingPriority = 7;
-
-      ReadWritePaths = [ "/var/log" ];
-
-      AmbientCapabilities = [ "" ];
-      CapabilityBoundingSet = [ "" ];
-      DeviceAllow = [ "" ];
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      NoNewPrivileges = true; # disable for third party rotate scripts
-      PrivateDevices = true;
-      PrivateNetwork = true; # disable for mail delivery
-      PrivateTmp = true;
-      ProtectClock = true;
-      ProtectControlGroups = true;
-      ProtectHome = true; # disable for userdir logs
-      ProtectHostname = true;
-      ProtectKernelLogs = true;
-      ProtectKernelModules = true;
-      ProtectKernelTunables = true;
-      ProtectProc = "invisible";
-      ProtectSystem = "full";
-      RestrictNamespaces = true;
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true; # disable for creating setgid directories
-      SocketBindDeny = [ "any" ];
-      SystemCallArchitectures = "native";
-      SystemCallFilter = [
-        "@system-service"
-      ];
-    };
-  };
-}