From cffc206eb43f49228b2749d947f3967e1bfde706 Mon Sep 17 00:00:00 2001
From: Gabriel Arazas <foo.dogsquared@gmail.com>
Date: Fri, 29 Apr 2022 16:55:09 +0800
Subject: [PATCH] services/gallery-dl: update hardening options

---
 modules/nixos/services/gallery-dl.nix | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/modules/nixos/services/gallery-dl.nix b/modules/nixos/services/gallery-dl.nix
index 08ea5c38..c236d7d3 100644
--- a/modules/nixos/services/gallery-dl.nix
+++ b/modules/nixos/services/gallery-dl.nix
@@ -73,7 +73,7 @@ in {
         to be created at the time of running the service.
       '';
       default = "/archives/gallery-dl-service";
-      example = lib.literalExpression "/archiving-service/photos";
+      example = lib.literalExpression "/var/archives/gallery-dl-services";
     };
 
     settings = lib.mkOption {
@@ -153,12 +153,18 @@ in {
         '';
         startAt = value.startAt;
         serviceConfig = {
+          LockPersonality = true;
           NoNewPrivileges = true;
           PrivateTmp = true;
+          PrivateUsers = true;
+          PrivateDevices = true;
           ProtectControlGroups = true;
           ProtectClock = true;
-          ProtectKernelModules = true;
           ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          SystemCallFilter = "@system-service";
+          SystemCallErrorNumber = "EPERM";
         };
       }) cfg.jobs;
   };