nixos/modules/security/hidepid.nix at 17.09-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

nixpkgs / nixos / modules / security / hidepid.nix

at 17.09-beta 692 B view raw

 1{ config, pkgs, lib, ... }:
 2with lib;
 3
 4{
 5  meta = {
 6    maintainers = [ maintainers.joachifm ];
 7    doc = ./hidepid.xml;
 8  };
 9
10  options = {
11    security.hideProcessInformation = mkOption {
12      type = types.bool;
13      default = false;
14      description = ''
15        Restrict process information to the owning user.
16      '';
17    };
18  };
19
20  config = mkIf config.security.hideProcessInformation {
21    users.groups.proc.gid = config.ids.gids.proc;
22    users.groups.proc.members = [ "polkituser" ];
23
24    boot.specialFileSystems."/proc".options = [ "hidepid=2" "gid=${toString config.ids.gids.proc}" ];
25    systemd.services.systemd-logind.serviceConfig.SupplementaryGroups = [ "proc" ];
26  };
27}