How to firejail system services

I would like to firejail unbound which is defined in my configuration.nix as follows:

  services.unbound.enable = true;
  services.unbound.enableRootTrustAnchor = true;
  services.unbound.settings = {
    server = {
various settings...
    remote-control.control-enable = false;

How can i firejail unbound when its defined as a system service and not as a “standalone” program?

1 Like

Consider using the most appropriate tool for the job: systemd. systemd provides many hardening options which should be able to accomplish all that firejail can. Specifically what hardening did you want to apply with firejail?

1 Like

As there are no default apparmor profiles in Nixos (granted, there are 4 but come on…) i then wanted to apply the standard firejail profile to unbound to save me the hassle of creating a profile myself. I “just want it to work” with maybe slight alterations.

I switched to Nixos from Arch where i could just apply ready-made apparmor or firejail profiles without having to create them from scratch and am still learning Nixos. Some things like apparmor / firejail are a bit awkward in Nixos for me.