From 34ad013b10102dfd02c2aedda8af2dc4e2402457 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Motiejus=20Jak=C5=A1tys?= <motiejus@jakstys.lt>
Date: Sun, 29 Sep 2024 22:35:14 +0300
Subject: [PATCH] immich: less privileges

---
 modules/services/immich/default.nix | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/modules/services/immich/default.nix b/modules/services/immich/default.nix
index f41760d..09c8cf5 100644
--- a/modules/services/immich/default.nix
+++ b/modules/services/immich/default.nix
@@ -60,7 +60,6 @@ in
           name: srcpath: "${srcpath}:/var/cache/immich/bind-paths/${name}"
         ) cfg.bindPaths;
         PrivateDevices = lib.mkForce false; # /dev/fuse
-        ProtectHome = lib.mkForce false; # binding /home/motiejus
         CapabilityBoundingSet = lib.mkForce "CAP_SYS_ADMIN | CAP_SETUID | CAP_SETGID";
 
         # testing
@@ -71,13 +70,6 @@ in
         PrivateMounts = lib.mkForce false;
         ProtectClock = lib.mkForce false;
         ProtectControlGroups = lib.mkForce false;
-        ProtectHostname = lib.mkForce false;
-        ProtectKernelLogs = lib.mkForce false;
-        ProtectKernelModules = lib.mkForce false;
-        ProtectKernelTunables = lib.mkForce false;
-        RestrictNamespaces = lib.mkForce false;
-        RestrictRealtime = lib.mkForce false;
-        RestrictSUIDSGID = lib.mkForce false;
       };
     };