From 9015d6ebab7779b7a8a069dba1faebb550b449fe Mon Sep 17 00:00:00 2001
From: Noratrieb <48135649+Noratrieb@users.noreply.github.com>
Date: Sun, 28 Dec 2025 18:43:32 +0100
Subject: [PATCH] update

---
 nix/apps/does-it-build/default.nix | 17 +++++++++++++++
 nix/modules/default/default.nix    | 34 ++++++++++++++++++++++++++++++
 nix/my-projects.json               |  6 +++---
 3 files changed, 54 insertions(+), 3 deletions(-)

diff --git a/nix/apps/does-it-build/default.nix b/nix/apps/does-it-build/default.nix
index cf6b74d..a2b0244 100644
--- a/nix/apps/does-it-build/default.nix
+++ b/nix/apps/does-it-build/default.nix
@@ -49,6 +49,23 @@ in
       ];
       # GITHUB_APP_PRIVATE_KEY=-----BEGIN RSA PRIVATE KEY-----...
       EnvironmentFile = [ config.age.secrets.does_it_build_private_key.path ];
+
+      ProtectHome = true;
+      StateDirectory = "does-it-build";
+      ProtectSystem = "strict";
+      PrivateTmp = true;
+
+      RemoveIPC = true;
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      ProtectClock = true;
+      ProtectKernelLogs = true;
+      ProtectControlGroups = true;
+      ProtectKernelModules = true;
+      PrivateMounts = true;
+      RestrictNamespaces = "";
+      RestrictSUIDSGID = true;
+      ProtectHostname = true;
     };
   };
 
diff --git a/nix/modules/default/default.nix b/nix/modules/default/default.nix
index b14b5ab..260523c 100644
--- a/nix/modules/default/default.nix
+++ b/nix/modules/default/default.nix
@@ -60,6 +60,7 @@ in
 
     settings = {
       PasswordAuthentication = false;
+      AllowUsers = [ "root" ];
     };
   };
   services.fail2ban = {
@@ -79,6 +80,22 @@ in
         "PRETENSE_PORTS=23,3306,5432,1521" # telnet,mysql,postgres,oracle
         "PRETENSE_METRICS_PORT=9150"
       ];
+      PrivateDevices = true;
+      ProtectHome = true;
+      ProtectClock = true;
+      ProtectKernelLogs = true;
+      ProtectHostname = true;
+      ProtectKernelTunables = true;
+      CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
+      ProtectProc = "ptraceable";
+      RestrictNamespaces = true;
+      MemoryDenyWriteExecute = true;
+      ProtectControlGroups = true;
+      ProtectKernelModules = true;
+      SystemCallArchitectures = "";
+      SystemCallFilter = "@system-service";
+      RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+      ProtectSystem = "strict";
     };
   };
   systemd.services.quotdd = {
@@ -90,6 +107,23 @@ in
       ExecStart = "${lib.getExe (quotdd {inherit pkgs;})}";
       AmbientCapabilities = "CAP_NET_BIND_SERVICE";
       Environment = [ ];
+
+      PrivateDevices = true;
+      ProtectHome = true;
+      ProtectClock = true;
+      ProtectKernelLogs = true;
+      ProtectHostname = true;
+      ProtectKernelTunables = true;
+      CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
+      ProtectProc = "ptraceable";
+      RestrictNamespaces = true;
+      MemoryDenyWriteExecute = true;
+      ProtectControlGroups = true;
+      ProtectKernelModules = true;
+      SystemCallArchitectures = "";
+      SystemCallFilter = "@system-service";
+      RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+      ProtectSystem = "strict";
     };
   };
   networking.firewall.allowedTCPPorts = [
diff --git a/nix/my-projects.json b/nix/my-projects.json
index 34360b9..2e631e6 100644
--- a/nix/my-projects.json
+++ b/nix/my-projects.json
@@ -18,12 +18,12 @@
     }
   },
   "does-it-build": {
-    "commit": "d15a7465584b5e90dc19126cc3d097683d055a63",
+    "commit": "3a1695c554d8f07aac47a11f516ff65db7420ca6",
     "fetchFromGitHub": {
       "owner": "Noratrieb",
       "repo": "does-it-build",
-      "rev": "d15a7465584b5e90dc19126cc3d097683d055a63",
-      "hash": "sha256-UC+uy7Ba+VAXeBplIblrYptoI2ORsnL+U64BNGUR7CY="
+      "rev": "3a1695c554d8f07aac47a11f516ff65db7420ca6",
+      "hash": "sha256-n7rTR3VrPt0x7QfzRnOHSxb4gSfMj4rA9kZD1RTYTWY="
     }
   },
   "upload.files.noratrieb.dev": {