From 588b0b5a5cbc4ef4affd4148d91b96a57fa59cb3 Mon Sep 17 00:00:00 2001
From: surtur <wanderer@dotya.ml>
Date: Fri, 24 Nov 2023 16:27:07 +0100
Subject: [PATCH] nix(coredns): force user, force restart always...

... and set MemoryDenyWriteExecute = true.
---
 nix/modules/coredns.nix | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/nix/modules/coredns.nix b/nix/modules/coredns.nix
index 8adcd6f..00a008b 100644
--- a/nix/modules/coredns.nix
+++ b/nix/modules/coredns.nix
@@ -229,18 +229,19 @@ in {
       WorkingDirectory = "/";
       # StartLimitIntervalSec = 5;
       StartLimitBurst = 10;
-      Restart = lib.mkDefault "always";
+      Restart = lib.mkForce "always";
       RestartSec = 10;
       # PermissionsStartOnly = true;
       ProtectSystem = "strict";
       LimitNOFILE = 1048576;
       LimitNPROC = 512;
       User = usr;
+      DynamicUser = lib.mkForce "no";
       EnvironmentFile = config.sops.templates.corednsEnv.path;
       # LoadCredential = lib.mapAttrsToList (name: path: "${name}:${path}") cfg.credentials;
       DeviceAllow = "";
       LockPersonality = true;
-      MemoryDenyWriteExecute = false;
+      MemoryDenyWriteExecute = true;
       NoNewPrivileges = true;
       PrivateDevices = true;
       PrivateTmp = true;