nixos/gotenberg: fix service config for chromium

NixOS · Dec 7, 2024 · 15a595e · 15a595e
1 parent 00c682e
commit 15a595e
Showing 1 changed file with 1 addition and 3 deletions.
diff --git a/nixos/modules/services/misc/gotenberg.nix b/nixos/modules/services/misc/gotenberg.nix
@@ -228,7 +228,6 @@ in
         ProtectKernelModules = true;
         ProtectKernelTunables = true;
         ProtectProc = "invisible";
-        ProcSubset = "pid";
 
         RestrictAddressFamilies = [
           "AF_UNIX"
@@ -240,11 +239,10 @@ in
         RestrictRealtime = true;
 
         LockPersonality = true;
-        MemoryDenyWriteExecute = true;
 
         SystemCallFilter = [
+          "@sandbox"
           "@system-service"
-          "~@privileged"
         ];
         SystemCallArchitectures = "native";