From 3cd61506e021df2df3f1a170724c6f11f0d54a88 Mon Sep 17 00:00:00 2001
From: nixbitcoin <nixbitcoin@i2pmail.org>
Date: Tue, 5 May 2020 15:25:00 +0200
Subject: [PATCH] webindex & onion-chef: Run non-network-facing services in
 PrivateNetwork

---
 modules/nix-bitcoin-webindex.nix | 1 +
 modules/onion-chef.nix           | 1 +
 2 files changed, 2 insertions(+)

diff --git a/modules/nix-bitcoin-webindex.nix b/modules/nix-bitcoin-webindex.nix
index be64f6d..95ee066 100644
--- a/modules/nix-bitcoin-webindex.nix
+++ b/modules/nix-bitcoin-webindex.nix
@@ -88,6 +88,7 @@ in {
         RemainAfterExit="yes";
         Restart = "on-failure";
         RestartSec = "10s";
+        PrivateNetwork = "true"; # This service needs no network access
       } // (if cfg.enforceTor
           then nix-bitcoin-services.allowTor
           else nix-bitcoin-services.allowAnyIP
diff --git a/modules/onion-chef.nix b/modules/onion-chef.nix
index a5084a3..a4b025b 100644
--- a/modules/onion-chef.nix
+++ b/modules/onion-chef.nix
@@ -77,6 +77,7 @@ in {
         ExecStart = "${pkgs.bash}/bin/bash ${onion-chef-script}";
         Type = "oneshot";
         RemainAfterExit = true;
+        PrivateNetwork = "true"; # This service needs no network access
       };
     };
   };