From b6cf5fdfa7bd959ab43bfcb13195a90a52ef6390 Mon Sep 17 00:00:00 2001
From: Meta-Repo Bot <bot@meta-repo.local>
Date: Fri, 16 Jan 2026 22:51:51 +0000
Subject: [PATCH] chore: Harden systemd service and pin nixpkgs to stable

Updates deployment configuration:
- Adds strict systemd sandboxing (ProtectSystem, DynamicUser, etc)
- Pins flake input to nixos-24.11 for stability
- Updates docs to reflect hardening
---
 docs/platform-setup.md | 10 ++++++++++
 flake.lock             |  8 ++++----
 flake.nix              |  2 +-
 3 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/docs/platform-setup.md b/docs/platform-setup.md
index 99ce2fa..67aa26a 100644
--- a/docs/platform-setup.md
+++ b/docs/platform-setup.md
@@ -127,6 +127,16 @@ in
       ProtectSystem = "strict";
       ProtectHome = true;
       NoNewPrivileges = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      RestrictNamespaces = true;
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      PrivateMounts = true;
+      SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
     };
   };
 
diff --git a/flake.lock b/flake.lock
index 0887ab0..8d59892 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,16 +2,16 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1768305791,
-        "narHash": "sha256-AIdl6WAn9aymeaH/NvBj0H9qM+XuAuYbGMZaP0zcXAQ=",
+        "lastModified": 1751274312,
+        "narHash": "sha256-/bVBlRpECLVzjV19t5KMdMFWSwKLtb5RyXdjz3LJT+g=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "1412caf7bf9e660f2f962917c14b1ea1c3bc695e",
+        "rev": "50ab793786d9de88ee30ec4e4c24fb4236fc2674",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-unstable",
+        "ref": "nixos-24.11",
         "repo": "nixpkgs",
         "type": "github"
       }
diff --git a/flake.nix b/flake.nix
index 2451475..18c468b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -2,7 +2,7 @@
   description = "MusicLink Bot - A link converter sidecar for Matterbridge";
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
     utils.url = "github:numtide/flake-utils";
   };