From c9d497c3fcce91f613ad9abb84b8fc832754bbea Mon Sep 17 00:00:00 2001
From: Gabriel Arazas <foo.dogsquared@gmail.com>
Date: Fri, 29 Apr 2022 16:54:36 +0800
Subject: [PATCH] services/yt-dlp: update hardening options

---
 modules/nixos/services/yt-dlp.nix | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/modules/nixos/services/yt-dlp.nix b/modules/nixos/services/yt-dlp.nix
index d34687f6..1d0cd377 100644
--- a/modules/nixos/services/yt-dlp.nix
+++ b/modules/nixos/services/yt-dlp.nix
@@ -66,7 +66,7 @@ in {
         The location of the archive to be downloaded. Must be an absolute path.
       '';
       default = "/archives/yt-dlp-service";
-      example = lib.literalExpression "/archiving-service/videos";
+      example = lib.literalExpression "/var/archives/yt-dlp-service";
     };
 
     extraArgs = lib.mkOption {
@@ -129,12 +129,18 @@ in {
         '';
         startAt = value.startAt;
         serviceConfig = {
+          LockPersonality = true;
           NoNewPrivileges = true;
           PrivateTmp = true;
+          PrivateUsers = true;
+          PrivateDevices = true;
           ProtectControlGroups = true;
           ProtectClock = true;
-          ProtectKernelModules = true;
           ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          SystemCallFilter = "@system-service";
+          SystemCallErrorNumber = "EPERM";
         };
       }) cfg.jobs;
   };