64 lines
1.5 KiB
Nix
64 lines
1.5 KiB
Nix
{ config, lib, ... }:
|
|
let
|
|
cfg = config.networking.wireless;
|
|
in
|
|
{
|
|
systemd.services.wpa_supplicant.serviceConfig = lib.mkIf (cfg.enable || config.networking.hostName == "xps16") {
|
|
RuntimeDirectory = [
|
|
"wpa_supplicant"
|
|
"wpa_supplicant/root-mnt"
|
|
];
|
|
RootDirectory = "/run/wpa_supplicant/root-mnt";
|
|
BindPaths = [
|
|
"/etc"
|
|
"/run/dbus/system_bus_socket"
|
|
"/tmp"
|
|
];
|
|
BindReadOnlyPaths = [
|
|
# "/bin/sh"
|
|
builtins.storeDir
|
|
];
|
|
|
|
# wpa_ctrl puts sockets in /tmp
|
|
PrivateTmp = false;
|
|
# PrivateTmp = lib.mkIf (configIsGenerated && !cfg.allowAuxiliaryImperativeNetworks) "disconnected";
|
|
|
|
CapabilityBoundingSet = [
|
|
"CAP_NET_ADMIN"
|
|
"CAP_BLOCK_SUSPEND"
|
|
"CAP_NET_RAW"
|
|
"CAP_CHOWN"
|
|
];
|
|
RestrictNamespaces = true;
|
|
SystemCallFilter = [
|
|
"@system-service"
|
|
"~@resources"
|
|
"@chown"
|
|
];
|
|
ProtectProc = "invisible";
|
|
SystemCallArchitectures = "native";
|
|
DeviceAllow = "/dev/rfkill";
|
|
DevicePolicy = "closed";
|
|
NoNewPrivileges = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectControlGroups = true;
|
|
ProtectKernelModules = true;
|
|
ProtectSystem = true;
|
|
ProtectHome = true;
|
|
MemoryDenyWriteExecute = true;
|
|
ProtectHostname = true;
|
|
LockPersonality = true;
|
|
RestrictRealtime = true;
|
|
RestrictSUIDSGID = true;
|
|
RestrictAddressFamilies = [
|
|
"AF_INET"
|
|
"AF_INET6"
|
|
"AF_NETLINK"
|
|
"AF_PACKET"
|
|
# "AF_ALG" # Used for 'linux' TLS backend
|
|
] ++ lib.optionals cfg.dbusControlled [
|
|
"AF_UNIX"
|
|
];
|
|
};
|
|
}
|