From cb1f37e1d0f8bc3944dfa9fff2f82a1cc27dfff2 Mon Sep 17 00:00:00 2001
From: Florian Sesser <florian@private.storage>
Date: Thu, 24 Feb 2022 11:06:00 +0000
Subject: [PATCH] Add an introducing comment to restricted-service.nix

---
 nixos/modules/restricted-service.nix | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/restricted-service.nix b/nixos/modules/restricted-service.nix
index 8911c1d6..93401799 100644
--- a/nixos/modules/restricted-service.nix
+++ b/nixos/modules/restricted-service.nix
@@ -1,8 +1,15 @@
+# Provide secure defaults for systemd services
+#
+# Good reads:
+# https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04
+# https://docs.arbitrary.ch/security/systemd.html
+# https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+
 {
   DynamicUser = true;
 
   # This set of restrictions is mostly dervied from
-  # - running `systemd-analyze security zkap-spending-service.service
+  # - running `systemd-analyze security zkap-spending-service.service`
   # - Looking at the restrictions from the nixos nginx config.
   AmbientCapabilities = "";
   CapabilityBoundingSet = "";
-- 
GitLab