From a799bd0e3d418210e34b6ded79721f6ade486e98 Mon Sep 17 00:00:00 2001
From: Felix Singer <felixsinger@posteo.net>
Date: Mon, 6 Oct 2025 15:28:41 +0200
Subject: [PATCH 1/3] nixos/redmine: Set ProtectProc to `invisible`

For documentation see
https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#ProtectProc=

Signed-off-by: Felix Singer <felixsinger@posteo.net>
---
 nixos/modules/services/misc/redmine.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/modules/services/misc/redmine.nix b/nixos/modules/services/misc/redmine.nix
index 8f98a9fd1442..1f42d642555e 100644
--- a/nixos/modules/services/misc/redmine.nix
+++ b/nixos/modules/services/misc/redmine.nix
@@ -473,7 +473,7 @@ in
         ProtectKernelLogs = true;
         ProtectKernelModules = true;
         ProtectKernelTunables = true;
-        ProtectProc = "noaccess";
+        ProtectProc = "invisible";
         ProtectSystem = "strict";
         ReadWritePaths = [
           cfg.stateDir

From 21f827065bf023e83cc7ae078a3c3c0c0746b0a8 Mon Sep 17 00:00:00 2001
From: Felix Singer <felixsinger@posteo.net>
Date: Mon, 6 Oct 2025 15:27:55 +0200
Subject: [PATCH 2/3] nixos/redmine: Enable PrivateUsers hardening in service
 config

For documentation see
https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#PrivateUsers=

Signed-off-by: Felix Singer <felixsinger@posteo.net>
---
 nixos/modules/services/misc/redmine.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/nixos/modules/services/misc/redmine.nix b/nixos/modules/services/misc/redmine.nix
index 1f42d642555e..4b5d3dab5ad2 100644
--- a/nixos/modules/services/misc/redmine.nix
+++ b/nixos/modules/services/misc/redmine.nix
@@ -465,6 +465,7 @@ in
         PrivateDevices = true;
         PrivateMounts = true;
         PrivateTmp = true;
+        PrivateUsers = true;
         ProcSubset = "pid";
         ProtectClock = true;
         ProtectControlGroups = "strict";

From 79ab4bb47b51aec0c5272d56da768c667670b388 Mon Sep 17 00:00:00 2001
From: Felix Singer <felixsinger@posteo.net>
Date: Mon, 6 Oct 2025 15:27:05 +0200
Subject: [PATCH 3/3] nixos/redmine: Enable MountAPIVFS hardening in service
 config

This setting is already implied by others, but add it for completeness
as well. For documentation see
https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#MountAPIVFS=

Signed-off-by: Felix Singer <felixsinger@posteo.net>
---
 nixos/modules/services/misc/redmine.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/nixos/modules/services/misc/redmine.nix b/nixos/modules/services/misc/redmine.nix
index 4b5d3dab5ad2..1253bae48a6d 100644
--- a/nixos/modules/services/misc/redmine.nix
+++ b/nixos/modules/services/misc/redmine.nix
@@ -461,6 +461,7 @@ in
         CapabilityBoundingSet = "";
         LockPersonality = true;
         MemoryDenyWriteExecute = true;
+        MountAPIVFS = true;
         NoNewPrivileges = true;
         PrivateDevices = true;
         PrivateMounts = true;