From a5ab9470033a550bf510c26fd68a99f21586b39b Mon Sep 17 00:00:00 2001
From: snicket2100 <57048005+snicket2100@users.noreply.github.com>
Date: Sat, 25 Jan 2020 00:28:25 +0100
Subject: irqbalance: systemd service config aligned with upstream

Aligned systemd service config with the definition in the upstream repo:
https://github.com/Irqbalance/irqbalance/blob/master/misc/irqbalance.service#L7.

Other than adding some level of sandboxing it also fixes the "Daemon
couldn't be bound to the file-based socket." warning reported on
irqbalance startup due to the fact that the "/run/irqbalance" directory
didn't exist. The "RuntimeDirectory" property makes sure it gets
created. The aforementioned warning didn't cause any problems I could
spot though.

I have verified that both `irqbalance` as well as `irqbalance-ui` work
fine with this new systemd service config.
---
 nixos/modules/services/hardware/irqbalance.nix | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/services/hardware/irqbalance.nix b/nixos/modules/services/hardware/irqbalance.nix
index b139154432c..39c139576bf 100644
--- a/nixos/modules/services/hardware/irqbalance.nix
+++ b/nixos/modules/services/hardware/irqbalance.nix
@@ -17,8 +17,15 @@ in
       irqbalance = {
         description = "irqbalance daemon";
         path = [ pkgs.irqbalance ];
-        serviceConfig =
-          { ExecStart = "${pkgs.irqbalance}/bin/irqbalance --foreground"; };
+        serviceConfig = {
+          ExecStart = "${pkgs.irqbalance}/bin/irqbalance --foreground";
+          CapabilityBoundingSet = "";
+          NoNewPrivileges = "yes";
+          ReadOnlyPaths = "/";
+          ReadWritePaths = "/proc/irq";
+          RestrictAddressFamilies = "AF_UNIX";
+          RuntimeDirectory = "irqbalance/";
+        };
         wantedBy = [ "multi-user.target" ];
       };
     };
-- 
cgit 1.4.1