From f34d793bb6a383d52dd4606a8e8adf9a7d915641 Mon Sep 17 00:00:00 2001
From: Gabriel Arazas <foodogsquared@foodogsquared.one>
Date: Thu, 27 Jul 2023 22:21:30 +0800
Subject: [PATCH] services/wezterm-mux-server: update hardening settings

---
 modules/nixos/services/wezterm-mux-server.nix | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/modules/nixos/services/wezterm-mux-server.nix b/modules/nixos/services/wezterm-mux-server.nix
index f4053b23..765fdbfe 100644
--- a/modules/nixos/services/wezterm-mux-server.nix
+++ b/modules/nixos/services/wezterm-mux-server.nix
@@ -46,9 +46,17 @@ in
         RestrictRealtime = true;
         ProtectClock = true;
         ProtectKernelLogs = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectHome = true;
         ProtectHostname = true;
         ProtectControlGroups = true;
         ProtectProc = "invisible";
+        ProcSubset = "pid";
+
+        RuntimeDirectory = "wezterm";
+        CacheDirectory = "wezterm";
+        StateDirectory = "wezterm";
 
         # Filtering system calls.
         SystemCallFilter = [