diff --git a/nixos/modules/services/networking/blocky.nix b/nixos/modules/services/networking/blocky.nix index 1920a5c11c56..d130e4433a6f 100644 --- a/nixos/modules/services/networking/blocky.nix +++ b/nixos/modules/services/networking/blocky.nix @@ -30,16 +30,56 @@ in config = lib.mkIf cfg.enable { systemd.services.blocky = { description = "A DNS proxy and ad-blocker for the local network"; - wantedBy = [ "multi-user.target" ]; - + wants = [ + "network-online.target" + "nss-lookup.target" + ]; + before = [ + "nss-lookup.target" + ]; + wantedBy = [ + "multi-user.target" + ]; serviceConfig = { - DynamicUser = true; - ExecStart = "${lib.getExe cfg.package} --config ${configFile}"; - Restart = "on-failure"; - AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; + DynamicUser = true; + ExecStart = "${lib.getExe cfg.package} --config ${configFile}"; + LockPersonality = true; + LogsDirectory = "blocky"; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + NonBlocking = true; + PrivateDevices = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + Restart = "on-failure"; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RuntimeDirectory = "blocky"; + StateDirectory = "blocky"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "@chown" + "~@aio" + "~@keyring" + "~@memlock" + "~@setuid" + "~@timer" + ]; }; }; }; + meta.maintainers = with lib.maintainers; [ paepcke ]; }