From 6206de09bbb8e8289d5989eed2bd5082909338eb Mon Sep 17 00:00:00 2001
From: Noratrieb <48135649+Noratrieb@users.noreply.github.com>
Date: Mon, 18 Aug 2025 21:10:44 +0200
Subject: [PATCH 1/2] update and better

---
 nix/apps/does-it-build/default.nix | 1 +
 nix/apps/widetom/default.nix       | 1 +
 nix/nixpkgs.json                   | 4 ++--
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/nix/apps/does-it-build/default.nix b/nix/apps/does-it-build/default.nix
index 7941ae7..a4dafa3 100644
--- a/nix/apps/does-it-build/default.nix
+++ b/nix/apps/does-it-build/default.nix
@@ -3,6 +3,7 @@ let
   does-it-build-base = (import (pkgs.fetchFromGitHub my-projects-versions.does-it-build.fetchFromGitHub)) { inherit pkgs; };
   does-it-build = does-it-build-base.overrideAttrs (finalAttrs: previousAttrs: {
     DOES_IT_BUILD_OVERRIDE_VERSION = my-projects-versions.does-it-build.commit;
+    RUSTFLAGS = "-Cforce-frame-pointers=true";
   });
 in
 {
diff --git a/nix/apps/widetom/default.nix b/nix/apps/widetom/default.nix
index c7372fd..2ff0598 100644
--- a/nix/apps/widetom/default.nix
+++ b/nix/apps/widetom/default.nix
@@ -8,6 +8,7 @@ let
     meta = {
       mainProgram = "widertom";
     };
+    RUSTFLAGS = "-Cforce-frame-pointers=true";
   };
 in
 {
diff --git a/nix/nixpkgs.json b/nix/nixpkgs.json
index e63baef..4d92766 100644
--- a/nix/nixpkgs.json
+++ b/nix/nixpkgs.json
@@ -1,5 +1,5 @@
 {
   "channel": "nixos-25.05",
-  "lastUpdated": "2025-08-03T11:42:11.747Z",
-  "commit": "59e69648d345d6e8fef86158c555730fa12af9de"
+  "lastUpdated": "2025-08-18T18:47:54.435Z",
+  "commit": "48f4c982de68d966421d2b6f1ddbeb6227cc5ceb"
 }

From d21158e2345543411adac971e1ba9f560d9d8909 Mon Sep 17 00:00:00 2001
From: Noratrieb <48135649+Noratrieb@users.noreply.github.com>
Date: Mon, 18 Aug 2025 21:54:20 +0200
Subject: [PATCH 2/2] harden

---
 nix/apps/widetom/default.nix    | 15 +++++++++++++++
 nix/modules/default/default.nix | 16 ++++++++++++++++
 2 files changed, 31 insertions(+)

diff --git a/nix/apps/widetom/default.nix b/nix/apps/widetom/default.nix
index 2ff0598..d9fcc07 100644
--- a/nix/apps/widetom/default.nix
+++ b/nix/apps/widetom/default.nix
@@ -32,6 +32,21 @@ in
     serviceConfig = {
       DynamicUser = true;
       ExecStart = lib.getExe widetom;
+      PrivateDevices = true;
+      ProtectHome = true;
+      ProtectClock = true;
+      ProtectKernelLogs = true;
+      ProtectHostname = true;
+      ProtectKernelTunables = true;
+      CapabilityBoundingSet = "";
+      ProtectProc = "noaccess";
+      RestrictNamespaces = true;
+      MemoryDenyWriteExecute = true;
+      ProtectControlGroups = true;
+      ProtectKernelModules = true;
+      SystemCallArchitectures = "";
+      SystemCallFilter = "@system-service";
+      RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
     };
   };
 
diff --git a/nix/modules/default/default.nix b/nix/modules/default/default.nix
index 4138af9..b14b5ab 100644
--- a/nix/modules/default/default.nix
+++ b/nix/modules/default/default.nix
@@ -188,6 +188,22 @@ in
   };
   systemd.services.alloy.serviceConfig = {
     DynamicUser = lib.mkForce false;
+    PrivateDevices = true;
+    ProtectClock = true;
+    ProtectKernelLogs = true;
+    PrivateMounts = true;
+    ProtectControlGroups = true;
+    ProtectHostname = true;
+    LockPersonality = true;
+    ProtectKernelTunables = true;
+    ProtectSystem = true;
+    ProtectHome = true;
+    PrivateTmp = true;
+    NoNewPrivileges = true;
+    RestrictNamespaces = "";
+    RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
+    # TODO: find what's required for /proc/kallsyms (it should be CAP_SYSLOG!)
+    # CapabilityBoundingSet = "CAP_SYS_PTRACE CAP_BPF CAP_SYSLOG";
   };
   environment.etc."alloy/config.alloy".text = ''
     discovery.process "all" {