keyd: run systemd service as root user

1 files changed, 16 insertions, 2 deletions

diff --git a/nixos/modules/services/hardware/keyd.nix b/nixos/modules/services/hardware/keyd.nix
index 64c769405fa..d17b0e4303e 100644
--- a/nixos/modules/services/hardware/keyd.nix
+++ b/nixos/modules/services/hardware/keyd.nix
@@ -76,7 +76,9 @@ in
         ExecStart = "${pkgs.keyd}/bin/keyd";
         Restart = "always";
 
-        DynamicUser = true;
+        # TODO investigate why it doesn't work propeprly with DynamicUser
+        # See issue: https://github.com/NixOS/nixpkgs/issues/226346
+        # DynamicUser = true;
         SupplementaryGroups = [
           config.users.groups.input.name
           config.users.groups.uinput.name
@@ -96,6 +98,7 @@ in
         ProtectHostname = true;
         PrivateUsers = true;
         PrivateMounts = true;
+        PrivateTmp = true;
         RestrictNamespaces = true;
         ProtectKernelLogs = true;
         ProtectKernelModules = true;
@@ -104,7 +107,18 @@ in
         MemoryDenyWriteExecute = true;
         RestrictRealtime = true;
         LockPersonality = true;
-        ProtectProc = "noaccess";
+        ProtectProc = "invisible";
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged"
+          "~@resources"
+        ];
+        RestrictAddressFamilies = [ "AF_UNIX" ];
+        RestrictSUIDSGID = true;
+        IPAddressDeny = [ "any" ];
+        NoNewPrivileges = true;
+        ProtectSystem = "strict";
+        ProcSubset = "pid";
         UMask = "0077";
       };
     };