···

       
484
       
484
       
 
       
              -gui-address=${cfg.guiAddress} \

     

       
485
       
485
       
 
       
              -home=${cfg.configDir}

     

       
486
       
486
       
 
       
          '';

     

       
487
       
487
       
+
       
          MemoryDenyWriteExecute = true;

     

       
488
       
488
       
+
       
          NoNewPrivileges = true;

     

       
489
       
489
       
+
       
          PrivateDevices = true;

     

       
490
       
490
       
+
       
          PrivateMounts = true;

     

       
491
       
491
       
+
       
          PrivateTmp = true;

     

       
492
       
492
       
+
       
          PrivateUsers = true;

     

       
493
       
493
       
+
       
          ProtectControlGroups = true;

     

       
494
       
494
       
+
       
          ProtectHostname = true;

     

       
495
       
495
       
+
       
          ProtectKernelModules = true;

     

       
496
       
496
       
+
       
          ProtectKernelTunables = true;

     

       
497
       
497
       
+
       
          RestrictNamespaces = true;

     

       
498
       
498
       
+
       
          RestrictRealtime = true;

     

       
499
       
499
       
+
       
          RestrictSUIDSGID = true;

     

       
500
       
500
       
+
       
          CapabilityBoundingSet = [

     

       
501
       
501
       
+
       
            "~CAP_SYS_PTRACE" "~CAP_SYS_ADMIN"

     

       
502
       
502
       
+
       
            "~CAP_SETGID" "~CAP_SETUID" "~CAP_SETPCAP"

     

       
503
       
503
       
+
       
            "~CAP_SYS_TIME" "~CAP_KILL"

     

       
504
       
504
       
+
       
          ];

     

       
487
       
505
       
 
       
        };

     

       
488
       
506
       
 
       
      };

     

       
489
       
507
       
 
       
      syncthing-init = mkIf (