I would like to firejail unbound which is defined in my configuration.nix as follows:
services.unbound.enable = true;
services.unbound.enableRootTrustAnchor = true;
services.unbound.settings = {
server = {
various settings...
};
remote-control.control-enable = false;
};
How can i firejail unbound when its defined as a system service and not as a “standalone” program?
Consider using the most appropriate tool for the job: systemd. systemd provides many hardening options which should be able to accomplish all that firejail can. Specifically what hardening did you want to apply with firejail?
As there are no default apparmor profiles in Nixos (granted, there are 4 but come on…) i then wanted to apply the standard firejail profile to unbound to save me the hassle of creating a profile myself. I “just want it to work” with maybe slight alterations.
I switched to Nixos from Arch where i could just apply ready-made apparmor or firejail profiles without having to create them from scratch and am still learning Nixos. Some things like apparmor / firejail are a bit awkward in Nixos for me.