diff options
| author | Izorkin <izorkin@elven.pw> | 2021-05-12 11:28:40 +0300 |
|---|---|---|
| committer | Kerstin <kerstin@erictapen.name> | 2021-11-06 16:45:20 +0100 |
| commit | 700ea62f549e00fbe531c387e68b99b08378f172 (patch) | |
| tree | b8b4c528e8220b42f2fe66bb0ee8aac98ea079b7 | |
| parent | 943f15d4b76e13c19ac08a298bc12f7b6f14b931 (diff) | |
| download | nixpkgs-700ea62f549e00fbe531c387e68b99b08378f172.tar nixpkgs-700ea62f549e00fbe531c387e68b99b08378f172.tar.gz nixpkgs-700ea62f549e00fbe531c387e68b99b08378f172.tar.bz2 nixpkgs-700ea62f549e00fbe531c387e68b99b08378f172.tar.lz nixpkgs-700ea62f549e00fbe531c387e68b99b08378f172.tar.xz nixpkgs-700ea62f549e00fbe531c387e68b99b08378f172.tar.zst nixpkgs-700ea62f549e00fbe531c387e68b99b08378f172.zip | |
nixos/mastodon: remove duplicates SystemCallFilters
| -rw-r--r-- | nixos/modules/services/web-apps/mastodon.nix | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/nixos/modules/services/web-apps/mastodon.nix b/nixos/modules/services/web-apps/mastodon.nix index 7c148ee76e4..527fc5bb8e2 100644 --- a/nixos/modules/services/web-apps/mastodon.nix +++ b/nixos/modules/services/web-apps/mastodon.nix @@ -38,7 +38,7 @@ let // (if cfg.smtp.authenticate then { SMTP_LOGIN = cfg.smtp.user; } else {}) // cfg.extraConfig; - systemCallsList = [ "@clock" "@cpu-emulation" "@debug" "@keyring" "@module" "@mount" "@obsolete" "@raw-io" "@reboot" "@setuid" "@swap" ]; + systemCallsList = [ "@cpu-emulation" "@debug" "@keyring" "@mount" "@obsolete" "@privileged" "@setuid" ]; cfgService = { # User and group @@ -468,7 +468,7 @@ in { Type = "oneshot"; WorkingDirectory = cfg.package; # System Call Filtering - SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ]); + SystemCallFilter = [ ("~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ])) "@chown" ]; } // cfgService; after = [ "network.target" ]; @@ -495,7 +495,7 @@ in { EnvironmentFile = "/var/lib/mastodon/.secrets_env"; WorkingDirectory = cfg.package; # System Call Filtering - SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ]); + SystemCallFilter = [ ("~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ])) "@chown" ]; } // cfgService; after = [ "mastodon-init-dirs.service" "network.target" ] ++ (if databaseActuallyCreateLocally then [ "postgresql.service" ] else []); wantedBy = [ "multi-user.target" ]; @@ -521,7 +521,7 @@ in { RuntimeDirectory = "mastodon-streaming"; RuntimeDirectoryMode = "0750"; # System Call Filtering - SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ [ "@privileged" "@resources" ]); + SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ]); } // cfgService; }; @@ -545,7 +545,7 @@ in { RuntimeDirectory = "mastodon-web"; RuntimeDirectoryMode = "0750"; # System Call Filtering - SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ]); + SystemCallFilter = [ ("~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ])) "@chown" ]; } // cfgService; path = with pkgs; [ file imagemagick ffmpeg ]; }; @@ -567,7 +567,7 @@ in { EnvironmentFile = "/var/lib/mastodon/.secrets_env"; WorkingDirectory = cfg.package; # System Call Filtering - SystemCallFilter = "~" + lib.concatStringsSep " " systemCallsList; + SystemCallFilter = [ ("~" + lib.concatStringsSep " " systemCallsList) "@chown" ]; } // cfgService; path = with pkgs; [ file imagemagick ffmpeg ]; }; |