Update nixpkgs 2025-11-07-02-03

flake.lock

@@ -666,11 +666,11 @@
     },
     "nixpkgs_5": {
       "locked": {
-        "lastModified": 1758690382,
-        "narHash": "sha256-NY3kSorgqE5LMm1LqNwGne3ZLMF2/ILgLpFr1fS4X3o=",
+        "lastModified": 1762363567,
+        "narHash": "sha256-YRqMDEtSMbitIMj+JLpheSz0pwEr0Rmy5mC7myl17xs=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e643668fd71b949c53f8626614b21ff71a07379d",
+        "rev": "ae814fd3904b621d8ab97418f1d0f2eb0d3716f4",
         "type": "github"
       },
       "original": {

hosts/carbon/configuration.nix

@@ -6,6 +6,7 @@
       ./hardware-configuration.nix
 
       ./dns.nix
+      ./ds-lite-ncfttb.nix
       ./mdns.nix
       ./net-dsl.nix
       ./net-gastnetz.nix
@@ -16,7 +17,7 @@
       ./net-printer.nix
       ./net-voip.nix
       ./ntp.nix
-      ./ppp.nix
+      ./ppp-ncfttb.nix
       ./scan-to-gpg.nix
       ./wg-clerie.nix
     ];
@@ -39,7 +40,7 @@
   networking.nat = {
     enableIPv6 = true;
     enable = true;
-    externalInterface = "ppp-dtagdsl";
+    externalInterface = "ppp-ncfttb";
     internalIPv6s = [ "fd00:152:152::/48" "fd00:3214:9453:4920::/64"];
     internalIPs = [ "10.152.0.0/16" "192.168.32.0/24" ];
   };

hosts/carbon/ds-lite-ncfttb.nix

@@ -0,0 +1,18 @@
+{ ... }:
+
+{
+
+  profiles.clerie.ds-lite = {
+    enable = true;
+    wanInterfaceName = "ppp-ncfttb";
+    tunnelInterfaceName = "ds-lite-ncfttb";
+    lanInterfaces = [
+      {
+        name = "net-heimnetz";
+        sla_id = 201;
+        prefix_len = 64;
+      }
+    ];
+  };
+
+}

hosts/carbon/net-dsl.nix

@@ -3,17 +3,17 @@
 {
 
   ## DSL-Uplink
-  networking.vlans."enp1s0.7" = {
-    id = 7;
+  networking.vlans."enp1s0.10" = {
+    id = 10;
     interface = "enp1s0";
   };
-  networking.vlans."enp3s0.7" = {
-    id = 7;
+  networking.vlans."enp3s0.10" = {
+    id = 10;
     interface = "enp3s0";
   };
   networking.bridges."net-dsl".interfaces = [
-    "enp1s0.7"
-    "enp3s0.7"
+    "enp1s0.10"
+    "enp3s0.10"
   ];
 
 }

hosts/carbon/net-gastnetz.nix

@@ -61,7 +61,7 @@
 
   # net-gastnetz can only access internet
   clerie.firewall.extraForwardFilterCommands = ''
-    ip46tables -A forward-filter -i net-gastnetz -o ppp-dtagdsl -j ACCEPT
+    ip46tables -A forward-filter -i net-gastnetz -o ppp-ncfttb -j ACCEPT
     ip46tables -A forward-filter -i net-gastnetz -j DROP
     ip46tables -A forward-filter -o net-gastnetz -j DROP
   '';

hosts/carbon/ppp-ncfttb.nix

@@ -4,11 +4,11 @@
 
   services.pppd = {
     enable = true;
-    peers.dtagdsl = {
+    peers.ncfttb = {
       config = ''
         plugin pppoe.so net-dsl
-        user "''${PPPD_DTAGDSL_USERNAME}"
-        ifname ppp-dtagdsl
+        user "''${PPPD_NETCOLOGNE_USERNAME}"
+        ifname ppp-ncfttb
         persist
         maxfail 0
         holdoff 5
@@ -24,9 +24,9 @@
     };
   };
 
-  environment.etc."ppp/peers/dtagdsl".enable = false;
+  environment.etc."ppp/peers/ncfttb".enable = false;
 
-  systemd.services."pppd-dtagdsl".serviceConfig = let
+  systemd.services."pppd-ncfttb".serviceConfig = let
     preStart = ''
       mkdir -p /etc/ppp/peers
 
@@ -34,22 +34,22 @@
       umask u=rw,g=,o=
 
       # Copy config and substitute username
-      rm -f /etc/ppp/peers/dtagdsl
-      ${pkgs.envsubst}/bin/envsubst -i "${config.environment.etc."ppp/peers/dtagdsl".source}" > /etc/ppp/peers/dtagdsl
+      rm -f /etc/ppp/peers/ncfttb
+      ${pkgs.envsubst}/bin/envsubst -i "${config.environment.etc."ppp/peers/ncfttb".source}" > /etc/ppp/peers/ncfttb
 
       # Copy login secrets
       rm -f /etc/ppp/pap-secrets
-      cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/pap-secrets
+      cat ${config.sops.secrets.pppd-ncfttb-secrets.path} > /etc/ppp/pap-secrets
       rm -f /etc/ppp/chap-secrets
-      cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/chap-secrets
+      cat ${config.sops.secrets.pppd-ncfttb-secrets.path} > /etc/ppp/chap-secrets
     '';
 
     preStartFile = pkgs.writeShellApplication {
-      name = "pppd-dtagdsl-pre-start";
+      name = "pppd-ncfttb-pre-start";
       text = preStart;
     };
   in {
-    EnvironmentFile = config.sops.secrets.pppd-dtagdsl-username.path;
+    EnvironmentFile = config.sops.secrets.pppd-ncfttb-username.path;
     ExecStartPre = [
       # "+" marks script to be executed without priviledge restrictions
       "+${lib.getExe preStartFile}"

hosts/carbon/secrets.json

@@ -1,21 +1,17 @@
 {
 	"wg-monitoring": "ENC[AES256_GCM,data:+k5MgBrj/psMCE1T2jDtCCJI9Q7L+wJ3j83inNkeGp3LSUjoAPtBp4YoyL4=,iv:C19g/Lqi+cWAyiJBMNDtgLc3SDNI9bMBrBPWn+26mVY=,tag:9zIoawuGeGCMbOX1HKR/sQ==,type:str]",
-	"pppd-dtagdsl-username": "ENC[AES256_GCM,data:JC7EyyMoN0p5YwnS9W5I0G5Omhk5usw28UiJrCfifGr+2FUgMrtFYAHQdrtWAELvYNBQDPgrHMmQjGQLhpqqK0hH,iv:/q+Fm63GVBApGInyS8i39V/lo6iv+I2omVh47deq+o8=,tag:LkR+1zTDNWuYkhH2iWT7SA==,type:str]",
-	"pppd-dtagdsl-secrets": "ENC[AES256_GCM,data:c5pOb8It1py/9NXNTgLvt9zmsBVbSLHJt4iXWiNA+Osvomw3r7pgoO/JJh9ujomPMnOlDwN7g+pJ,iv:W36gA8E1mWchN6+8hdMdt2epv/RdS91T5ANB/JTcHCE=,tag:7eZ3fZkjERCVJCXYrABnlQ==,type:str]",
+	"pppd-ncfttb-username": "ENC[AES256_GCM,data:vyOCNm23xsD3Kj+R7zqnBjH4jEIfYpx/YUUGPcVzqMs9pnFEembahtFTl2sNzOFXLfYCYg==,iv:gMfi/6jldkXCnfdvhu5X1VKj58sVsPR8IX8iEECPfgk=,tag:PJGyIASP6RPAdVULEnn+Gg==,type:str]",
+	"pppd-ncfttb-secrets": "ENC[AES256_GCM,data:IEAguET78vdzRo47UvxbDdz+kKgYWVxYakPPu5rNAZ4BCui7DUG3qm2X9bBdHSMA,iv:Q8D58HXkCoVbqwFoYk+dizXNcEP1J63uMaDSNEzfg2g=,tag:R/xG3owmbVDOLM79sfBQjA==,type:str]",
 	"wg-clerie": "ENC[AES256_GCM,data:OEZg8ZoLAdVhKkvB0ai13ID3gPnVUU/xkOjZ4KiJ9MnRbcFu5HBd7Nw6iNwh,iv:edPuaehya2ZvYKkiBqNUbXVDAxAT6yNgETnWtd6it94=,tag:cX12szdQfAcC6cij6zk6Dw==,type:str]",
 	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age16mln27e2p58gu6dpxfclttmuzfnq39mv62kthjpps33g3nl3scfq449857",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Rkd5WFE3aE5EQzY5ZXV4\nbXVGYmxTdVg1ekRpVjlRUnozY2tMTGloL21RCktjZW95OU9ZZ2owTCtMR1NxaXJn\na2VYS2ttb3VhSjNXOG84UUJtYU04QjAKLS0tIGd3aHM0RldFYnVFdDRVS0Vhc3BF\nckJhYmN6a1FJUC9ibks1cGlRaU1zbFkKE4ClunQ3XGAILwluC6iYFs+rlR02PdhK\njOmPbOlS0aNG0hoC7Z6aetgpj689AkJgl68QVcyvm+ecHH7TOT7l1A==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2024-08-13T14:06:43Z",
-		"mac": "ENC[AES256_GCM,data:yGKY0fi3KQWGHBeyNtQ8EJ6561dKRZ5aAjO9zq3odDtX75i2RSjORIlNjBsVvegBzeo8AkwwnzxNPt2sHl6MKDZfEsysWAi8Wolh4UvHk087AnR/uKvtG6t4uUaNIWej2DEzxUtTQ8QP1afsdqGCf0vZVruNcJ4u2xiQbN2vJPc=,iv:CDXJ5/P+h0Enq/0EL1su1Mw55FVYLy4XPSoUCkRkt+U=,tag:AvRfEDYMBunyIQIVCPbXag==,type:str]",
+		"lastmodified": "2025-10-24T19:16:49Z",
+		"mac": "ENC[AES256_GCM,data:ADhCQ7JxrEq+5ssevuuQVf3uyHcrcNVSzdT8bkFfDFVEE1hKv8q9QsGxhIaKtv4N2gt079fy0YA+WFKH6H8zWb5ONepH4H/mAek2SYgAtmVsxwdWY13zswsJUPi2CfbaCWOqppb9IiDb8+RCbzY2u/8Qqwk8gx/0uw2hr3IJrhM=,iv:c1/TS+W4pQgh2oPT77LX+dUL929YppRYdZCmMl2yN+M=,tag:fTk1sxdeT9xFjDMhqiHZAg==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-05-10T13:05:56Z",
@@ -24,6 +20,6 @@
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
-		"version": "3.8.1"
+		"version": "3.10.2"
 	}
 }

hosts/clerie-backup/configuration.nix

@@ -52,6 +52,11 @@
       environment = { BORG_RSH = "ssh -p 23 -i /var/src/secrets/ssh/borg-backup-replication-hetzner"; };
       compression = "auto,lzma";
       startAt = "*-*-* 04:07:00";
+
+      readWritePaths = [ "/var/lib/prometheus-node-exporter/textfiles" ];
+      postPrune = ''
+        echo "backup_replication_hetzner_last_successful_run_time $(date +%s)" > /var/lib/prometheus-node-exporter/textfiles/backup-replication-hetzner.prom
+      '';
     };
   };
 

hosts/krypton/programs.nix

@@ -25,6 +25,7 @@
     wireshark
     tcpdump
     nmap
+    pkgs."http.server"
 
     kdePackages.okular
     chromium-incognito

monitoring/targets.json

@@ -48,5 +48,8 @@
   },
   "cleriewi.uber.space": {
     "clerie-uberspace": { "enable": true }
+  },
+  "reichart.uber.space": {
+    "clerie-uberspace": { "enable": true }
   }
 }

pkgs/ds-lite-dhcpcd-hook/default.nix

@@ -0,0 +1,12 @@
+{ pkgs, ... }:
+
+pkgs.writeShellApplication {
+  name = "ds-lite-dhcpcd-hook";
+  text = builtins.readFile ./ds-lite-dhcpcd-hook.sh;
+  runtimeInputs = with pkgs; [
+    iproute2
+    jq
+    dig
+    gawk
+  ];
+}

pkgs/ds-lite-dhcpcd-hook/ds-lite-dhcpcd-hook.sh

@@ -0,0 +1,102 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+# Setting up required environment variables
+# shellcheck disable=SC2154
+WAN_INTERFACE_NAME="${DS_LITE_WAN_INTERFACE_NAME}"
+# shellcheck disable=SC2154
+TUNNEL_INTERFACE_NAME="${DS_LITE_TUNNEL_INTERFACE_NAME}"
+
+log_dhcp () {
+	echo "<ds-lite-dhcpcd-hook> ${WAN_INTERFACE_NAME}: $1"
+}
+
+log_tunnel () {
+	echo "<ds-lite-dhcpcd-hook> ${WAN_INTERFACE_NAME} (${TUNNEL_INTERFACE_NAME}): $1"
+}
+
+# Check if the event calling this hook is for the wan interface
+# exit immediately if not
+# shellcheck disable=SC2154
+if [[ "$interface" != "$WAN_INTERFACE_NAME" ]]; then
+	exit
+fi
+
+# Make sure the event calling this hook carries the environment variable
+# in question. The environment variable is not provided with every call
+# and we just want to exit if it is not provided
+# shellcheck disable=SC2154
+if [[ ! -v new_dhcp6_aftr_name ]]; then
+	# Variable is not set
+	exit
+fi
+# shellcheck disable=SC2154
+if [[ -z "${new_dhcp6_aftr_name}" ]]; then
+	# Variable is empty, can't do anything
+	exit
+fi
+
+# shellcheck disable=SC2154
+AFTR_NAME="$new_dhcp6_aftr_name"
+
+log_dhcp "Received new AFTR_NAME ${AFTR_NAME}"
+
+# Make sure we have a nameserver to resolve aftr name against
+# shellcheck disable=SC2154
+if [[ ! -v new_dhcp6_name_servers ]]; then
+	# Variable is not set
+	exit
+fi
+# shellcheck disable=SC2154
+if [[ -z "${new_dhcp6_name_servers}" ]]; then
+	# Variable is empty, can't do anything
+	exit
+fi
+
+# shellcheck disable=SC2154
+NAME_SERVERS="$new_dhcp6_name_servers"
+
+log_dhcp "Received new NAME_SERVERS ${NAME_SERVERS}"
+
+# Select first nameserver
+NAME_SERVER="$(echo "${NAME_SERVERS}" | awk '{print $1;}')"
+
+log_dhcp "Selected NAME_SERVER ${NAME_SERVER}"
+
+# Figure out a usable IPv6 address on the wan interface, to origin our DNS requests and tunnel
+WAN_INTERFACE_ADDRESS="$(ip --json address show "${WAN_INTERFACE_NAME}" | jq -r '.[0].addr_info[] | select(.family == "inet6" and .scope == "global" and .mngtmpaddr == true) | .local')"
+
+log_dhcp "Using WAN_INTERFACE_ADDRESS ${WAN_INTERFACE_ADDRESS}"
+
+AFTR_ADDRESS="$(dig "@${NAME_SERVER}" -b "${WAN_INTERFACE_ADDRESS}" AAAA "${AFTR_NAME}" +short | head -1)"
+
+log_dhcp "Resolved AFTR_NAME ${AFTR_NAME} to ${AFTR_ADDRESS}"
+
+# Check if there is already a tunnel interface
+if TUNNEL_INTERFACE_CONFIG="$(ip --json link show "${TUNNEL_INTERFACE_NAME}")"; then
+	TUNNEL_INTERFACE_OPERSTATE="$(echo "${TUNNEL_INTERFACE_CONFIG}" | jq -r '.[0].operstate')"
+	TUNNEL_INTERFACE_ORIGIN_ADDRESS="$(echo "${TUNNEL_INTERFACE_CONFIG}" | jq -r '.[0].address')"
+	TUNNEL_INTERFACE_REMOTE_ADDRESS="$(echo "${TUNNEL_INTERFACE_CONFIG}" | jq -r '.[0].broadcast')"
+
+	# Reconfigure tunnel interface, if not already in state we want
+	if [[ "${TUNNEL_INTERFACE_ORIGIN_ADDRESS}" != "${WAN_INTERFACE_ADDRESS}" || "${TUNNEL_INTERFACE_REMOTE_ADDRESS}" != "${AFTR_ADDRESS}" || "${TUNNEL_INTERFACE_OPERSTATE}" != "UNKNOWN" ]]; then
+		log_tunnel "Bad configuration, fixing tunnel parameter"
+
+		ip tunnel change "${TUNNEL_INTERFACE_NAME}" mode ipip6 local "${WAN_INTERFACE_ADDRESS}" remote "${AFTR_ADDRESS}"
+		ip link set "$TUNNEL_INTERFACE_NAME" up
+	else
+		log_tunnel "Tunnel already configured"
+	fi
+else
+	log_tunnel "Setting up DS-Lite tunnel"
+
+	ip tunnel add "${TUNNEL_INTERFACE_NAME}" mode ipip6 local "${WAN_INTERFACE_ADDRESS}" remote "${AFTR_ADDRESS}"
+	ip link set "$TUNNEL_INTERFACE_NAME" up
+fi
+
+log_tunnel "Setting default route"
+
+ip route replace default dev "${TUNNEL_INTERFACE_NAME}"
+
+log_tunnel "Tunnel setup finished"

pkgs/http.server/default.nix

@@ -0,0 +1,14 @@
+{
+  python3,
+  writeShellApplication,
+}:
+
+writeShellApplication {
+  name = "http.server";
+  text = ''
+    python3 -m http.server "$@"
+  '';
+  runtimeInputs = [
+    python3
+  ];
+}

pkgs/overlay.nix

@@ -14,6 +14,7 @@ final: prev: {
   chromium-incognito = final.callPackage ./chromium-incognito {};
   convert-flac-dir-to-mp3 = final.callPackage ./convert-flac-dir-to-mp3 {};
   curl-timings = final.callPackage ./curl-timings {};
+  ds-lite-dhcpcd-hook = final.callPackage ./ds-lite-dhcpcd-hook {};
   factorio-launcher = final.callPackage ./factorio-launcher {};
   feeds-dir = final.callPackage ./feeds-dir {};
   generate-blocked-prefixes = final.callPackage ./generate-blocked-prefixes {};
@@ -22,6 +23,7 @@ final: prev: {
   git-pp = final.callPackage ./git-pp {};
   git-show-link = final.callPackage ./git-show-link {};
   grow-last-partition-and-filesystem = final.callPackage ./grow-last-partition-and-filesystem {};
+  "http.server" = final.callPackage ./http.server {};
   nix-remove-result-links = final.callPackage ./nix-remove-result-links {};
   nixfiles-auto-install = final.callPackage ./nixfiles/nixfiles-auto-install.nix {};
   nixfiles-generate-config = final.callPackage ./nixfiles/nixfiles-generate-config.nix {};

pkgs/overrides/ds-lite-dhcpcd.nix

@@ -0,0 +1,20 @@
+final: prev:
+prev.dhcpcd.overrideAttrs (finalAttrs: prevAttrs: {
+
+  configureFlags = [
+    "--sysconfdir=/etc/ds-lite-dhcpcd"
+    "--localstatedir=/var"
+    "--disable-fork"
+    "--disable-privsep"
+    "--dbdir=/var/lib/ds-lite-dhcpcd"
+    "--rundir=/var/run/ds-lite-dhcpcd"
+    "--with-default-hostname=ds-lite"
+    "--disable-ipv4"
+    "--disable-arp"
+    "--disable-arpping"
+    "--disable-ipv4ll"
+    "--disable-ntp"
+  ];
+
+})
+

pkgs/overrides/overlay.nix

@@ -1,4 +1,5 @@
 final: prev: {
   dino = import ./dino.nix final prev;
+  ds-lite-dhcpcd = import ./ds-lite-dhcpcd.nix final prev;
   xmppc = import ./xmppc.nix final prev;
 }

profiles/default.nix

@@ -11,6 +11,7 @@
     ./cybercluster-vm
     ./desktop
     ./dn42-router
+    ./ds-lite
     ./fem-net
     ./firefox
     ./gpg-ssh

profiles/ds-lite/default.nix

@@ -0,0 +1,150 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  cfg = config.profiles.clerie.ds-lite;
+
+
+  dsLiteDhcpcdConfig = ''
+    allowinterfaces ${cfg.wanInterfaceName} ${concatMapStringsSep " " (interface: interface.name) cfg.lanInterfaces}
+
+    option dhcp6_name_servers
+    option dhcp6_aftr_name
+
+    waitip 6
+
+    ipv6only
+    ipv6ra_noautoconf
+    noipv6rs
+
+    interface ${cfg.wanInterfaceName}
+      ipv6ra_autoconf
+      ipv6rs
+      ia_pd 1/::/48 ${concatMapStringsSep " " (interface: "${interface.name}/${toString interface.sla_id}/${toString interface.prefix_len}") cfg.lanInterfaces}
+
+    ${concatMapStrings (interface: ''
+    interface ${interface.name}
+      nolink
+    '') cfg.lanInterfaces}
+  '';
+
+  dsLiteDhcpcdConfigFile = pkgs.writeTextFile {
+    name = "dhcpcd.conf";
+    text = dsLiteDhcpcdConfig;
+  };
+
+  dsLiteDhcpcdHookWrapperFile = pkgs.writeShellScript "ds-lite-dhcpcd-hook-wrapper" ''
+    DS_LITE_WAN_INTERFACE_NAME=${lib.escapeShellArg cfg.wanInterfaceName};
+    export DS_LITE_WAN_INTERFACE_NAME
+    DS_LITE_TUNNEL_INTERFACE_NAME=${lib.escapeShellArg cfg.tunnelInterfaceName};
+    export DS_LITE_TUNNEL_INTERFACE_NAME
+
+    exec ${lib.getExe pkgs.ds-lite-dhcpcd-hook}
+  '';
+
+in {
+
+  options.profiles.clerie.ds-lite = {
+    enable = mkEnableOption "DS-Lite setup";
+    wanInterfaceName = mkOption {
+      type = types.str;
+      description = "Interface with IPv6 connectivity to provider";
+    };
+    tunnelInterfaceName = mkOption {
+      type = types.str;
+      description = "Interface with IPv4 connectivity to provider";
+    };
+    lanInterfaces = mkOption {
+      type = with types; listOf (submodule ({ ... }: {
+        options = {
+          name = mkOption {
+            type = types.str;
+          };
+          sla_id = mkOption {
+            type = types.ints.unsigned;
+          };
+          prefix_len = mkOption {
+            type = types.ints.between 48 128;
+          };
+        };
+      }));
+      default = [];
+      description = "Interfaces to provisn with an IPv6 prefix";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.ds-lite-dhcpcd = {
+      description = "DS-Lite dhcpcd";
+
+      wantedBy = [ "multi-user.target" ];
+
+      environment = {
+      };
+
+      serviceConfig = {
+        Type = "simple";
+        User = "ds-lite";
+        Group = "ds-lite";
+        StateDirectory = "ds-lite-dhcpcd";
+        RuntimeDirectory = "ds-lite-dhcpcd";
+
+        ExecStart = "${pkgs.ds-lite-dhcpcd}/bin/dhcpcd --ipv6only --nobackground --config ${dsLiteDhcpcdConfigFile} --script ${dsLiteDhcpcdHookWrapperFile}";
+
+        Restart = "always";
+        AmbientCapabilities = [
+          "CAP_NET_ADMIN"
+          "CAP_NET_RAW"
+          "CAP_NET_BIND_SERVICE"
+        ];
+        ReadWritePaths = [
+          "/proc/sys/net/ipv6"
+        ];
+        DeviceAllow = "";
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        PrivateDevices = true;
+        PrivateMounts = true;
+        PrivateTmp = true;
+        PrivateUsers = false;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = "tmpfs"; # allow exceptions to be added to ReadOnlyPaths, etc.
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictAddressFamilies = [
+          "AF_UNIX"
+          "AF_INET"
+          "AF_INET6"
+          "AF_NETLINK"
+          "AF_PACKET"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallFilter = [
+          "@system-service"
+          "~@keyring"
+          "~@memlock"
+          "~@mount"
+        ];
+        SystemCallArchitectures = "native";
+        UMask = "0027";
+      };
+    };
+
+    users.users.ds-lite = {
+      isSystemUser = true;
+      group = "ds-lite";
+    };
+    users.groups.ds-lite = { };
+  };
+
+}