From d7e089699aedb67f79d2fa70bfdc39ea25ad5ea6 Mon Sep 17 00:00:00 2001
From: Robert Helgesson <robert@rycee.net>
Date: Mon, 19 Jul 2021 22:41:51 +0200
Subject: [PATCH] syncthing: restrict service slightly

---
 modules/services/syncthing.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modules/services/syncthing.nix b/modules/services/syncthing.nix
index e63f3707e..c9def213d 100644
--- a/modules/services/syncthing.nix
+++ b/modules/services/syncthing.nix
@@ -61,6 +61,8 @@ with lib;
             Restart = "on-failure";
             SuccessExitStatus = [ 3 4 ];
             RestartForceExitStatus = [ 3 4 ];
+            NoNewPrivileges = true;
+            PrivateUsers = true;
           };
 
           Install = { WantedBy = [ "default.target" ]; };