From 560e2965325cc63f9c91ce59b624944bca86c54e Mon Sep 17 00:00:00 2001
From: Gabriel Arazas <foo.dogsquared@gmail.com>
Date: Sun, 17 Apr 2022 00:18:03 +0800
Subject: [PATCH] services/yt-dlp: harden the service

---
 modules/nixos/services/yt-dlp.nix | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/modules/nixos/services/yt-dlp.nix b/modules/nixos/services/yt-dlp.nix
index 1cdec11a..86a17220 100644
--- a/modules/nixos/services/yt-dlp.nix
+++ b/modules/nixos/services/yt-dlp.nix
@@ -126,6 +126,14 @@ in {
           } ${lib.escapeShellArgs value.urls}
         '';
         startAt = value.startAt;
+        serviceConfig = {
+          NoNewPrivileges = true;
+          PrivateTmp = true;
+          ProtectControlGroup = true;
+          ProtectClock = true;
+          ProtectKernelModule = true;
+          ProtectKernelLogs = true;
+        };
       }) cfg.jobs;
   };
 }