From 95ffbf6300eb902f10cbbab580332883d845efc0 Mon Sep 17 00:00:00 2001
From: stuce-bot <lefabricesaucy@outlook.com>
Date: Tue, 10 Jun 2025 12:32:37 +0200
Subject: [PATCH] added some security options

---
 flake.nix | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/flake.nix b/flake.nix
index b95ca06..d34867b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -79,6 +79,30 @@
           serviceConfig = {
             ExecStart = "${cfg.package}/bin/sTodo";
             Restart = "always";
+            User = "sTodo";
+            Group = "sTodo";
+            StateDirectory = "sTodo";
+            StateDirectoryMode = "0700";
+
+            AmbientCapabilities = "";
+            CapabilityBoundingSet = "";
+            DeviceAllow = "";
+            LockPersonality = true;
+            MemoryDenyWriteExecute = true;
+            NoNewPrivileges = true;
+
+            PrivateDevices = true;
+            PrivateUsers = true;
+
+            ProtectClock = true;
+            ProtectControlGroups = true;
+            ProtectHome = "read-only";
+            ProtectHostname = true;
+            ProtectKernelLogs = true;
+            ProtectKernelModules = true;
+            ProtectKernelTunables = true;
+            ProtectProc = "noaccess";
+            ProtectSystem = "strict";
           };
           environment = {
             YESOD_PORT = "${toString cfg.port}";