webindex & onion-chef: Run non-network-facing services in PrivateNetwork

modules/nix-bitcoin-webindex.nix

@@ -88,6 +88,7 @@ in {
         RemainAfterExit="yes";
         Restart = "on-failure";
         RestartSec = "10s";
+        PrivateNetwork = "true"; # This service needs no network access
       } // (if cfg.enforceTor
           then nix-bitcoin-services.allowTor
           else nix-bitcoin-services.allowAnyIP

modules/onion-chef.nix

@@ -77,6 +77,7 @@ in {
         ExecStart = "${pkgs.bash}/bin/bash ${onion-chef-script}";
         Type = "oneshot";
         RemainAfterExit = true;
+        PrivateNetwork = "true"; # This service needs no network access
       };
     };
   };