diff --git a/hosts/zackbiene/esphome.nix b/hosts/zackbiene/esphome.nix index c117b12..40da2f8 100644 --- a/hosts/zackbiene/esphome.nix +++ b/hosts/zackbiene/esphome.nix @@ -48,7 +48,6 @@ in { SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" - "~@privileged" "@mount" # Required by platformio for chroot ]; UMask = "0077"; @@ -64,6 +63,7 @@ in { users.groups.esphome.gid = 316; + # TODO esphome.sock permissions pls nginx currently world writable services.nginx.upstreams = { "esphome" = { servers = {"unix:/run/esphome/esphome.sock" = {};}; diff --git a/hosts/zackbiene/hostapd.nix b/hosts/zackbiene/hostapd.nix index e576088..6cae831 100644 --- a/hosts/zackbiene/hostapd.nix +++ b/hosts/zackbiene/hostapd.nix @@ -79,13 +79,13 @@ serviceConfig = { ExecReload = "/bin/kill -HUP $MAINPID"; RuntimeDirectory = "hostapd"; - DeviceAllow = "/dev/rfkill rw"; # Hardening LockPersonality = true; MemoryDenyWriteExecute = true; + DevicePolicy = "closed"; + DeviceAllow = "/dev/rfkill rw"; NoNewPrivileges = true; - PrivateDevices = true; PrivateUsers = false; # hostapd requires real system root access. PrivateTmp = true; ProtectClock = true;