---
title: sandboxing audit -- NixOS services
---
This table shows, for each systemd service in nixos, the hardening options that are configured.
The items are sorted by decreasing count of configured options, then by name.

This is the current result of [a work-in-progress project](https://github.com/thejohncrafter/nixos-harden-systemd)
with the support of the [nlnet foundation](https://nlnet.nl/).

The goal of the project is to audit the security of every systemd service in
[NixOS](https://nixos.org/). For the moment (*modulo* the power of my static analysis tool, that
may miss some parts of nixpkgs), I built a list of all the systemd services that are defined in NixOS
and I automatically read the configuration of these services with respect to systemd hardening.
The entries in this table are green if the service configures the option, and red otherwise.

### Caveats

 - For now, I only target a restricted list of options (boolean options that are "well-behaved").</p>
 - This shows the options that are *configured*, but not necessarily *secured*: for instance,
   `transmission` configures `PrivateNetwork` and this options appears in green,
   yet it is configured by default to `false`. This means there may be false positives.

   There may also be some false negatives: for instance, nginx does not configure `PrivateNetwork`,
   but this is expected because nginx has no reason to shut itself from the Internet.