From 824e30fc7cb571a655768353a9f500bcb0142f78 Mon Sep 17 00:00:00 2001
From: Bloxx12 <charlie@charlieroot.dev>
Date: Wed, 9 Apr 2025 15:31:18 +0200
Subject: [PATCH] wayneko/module.nix: more systemd hardening tweaks

---
 modules/services/wayneko/module.nix | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/modules/services/wayneko/module.nix b/modules/services/wayneko/module.nix
index 511304d..fe2f49e 100644
--- a/modules/services/wayneko/module.nix
+++ b/modules/services/wayneko/module.nix
@@ -31,10 +31,11 @@ in {
       PrivateTmp = true;
       PrivateUsers = true;
       ProcSubset = "pid";
+
       ProtectClock = true;
       ProtectControlGroups = true;
       ProtectControlGroup = true;
-      ProtectHome = "true";
+      ProtectHome = "read-only";
       ProtectHostname = true;
       ProtectKernelLogs = true;
       ProtectKernelModules = true;
@@ -48,11 +49,7 @@ in {
 
       SystemCallArchitectures = ["native"];
 
-      SystemCallFilter = [
-        "@system-service"
-        "~@privileged"
-        "~@resources"
-      ];
+      SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap @privileged";
     };
   };
 }