irqbalance: systemd service config aligned with upstream

Aligned systemd service config with the definition in the upstream repo:
https://github.com/Irqbalance/irqbalance/blob/master/misc/irqbalance.service#L7.

Other than adding some level of sandboxing it also fixes the "Daemon
couldn't be bound to the file-based socket." warning reported on
irqbalance startup due to the fact that the "/run/irqbalance" directory
didn't exist. The "RuntimeDirectory" property makes sure it gets
created. The aforementioned warning didn't cause any problems I could
spot though.

I have verified that both `irqbalance` as well as `irqbalance-ui` work
fine with this new systemd service config.

1 files changed, 9 insertions, 2 deletions

diff --git a/nixos/modules/services/hardware/irqbalance.nix b/nixos/modules/services/hardware/irqbalance.nix
index b139154432c..39c139576bf 100644
--- a/nixos/modules/services/hardware/irqbalance.nix
+++ b/nixos/modules/services/hardware/irqbalance.nix
@@ -17,8 +17,15 @@ in
       irqbalance = {
         description = "irqbalance daemon";
         path = [ pkgs.irqbalance ];
-        serviceConfig =
-          { ExecStart = "${pkgs.irqbalance}/bin/irqbalance --foreground"; };
+        serviceConfig = {
+          ExecStart = "${pkgs.irqbalance}/bin/irqbalance --foreground";
+          CapabilityBoundingSet = "";
+          NoNewPrivileges = "yes";
+          ReadOnlyPaths = "/";
+          ReadWritePaths = "/proc/irq";
+          RestrictAddressFamilies = "AF_UNIX";
+          RuntimeDirectory = "irqbalance/";
+        };
         wantedBy = [ "multi-user.target" ];
       };
     };