Alertonotify hardening part 1

services/monitoring/alerttonotify.nix

@@ -19,6 +19,18 @@
     serviceConfig = {
       Type = "exec";
       ExecStart = "${pkgs.alerttonotify}/bin/alerttonotify";
+      DynamicUser = "yes";
+      CapabilityBoundingSet = "";
+      RestrictAddressFamilies = "AF_INET AF_INET6";
+      SystemCallArchitectures = "native";
+      LockPersonality = "yes";
+      MemoryDenyWriteExecute = "yes";
+      PrivateDevices = "yes";
+      PrivateUsers = "yes";
+      ProtectControlGroups = "yes";
+      ProtectHome = "yes";
+      ProtectHostname = "yes";
+      RestrictNamespace = "yes";
     };
   };
 }