diff options
| author | Janne Heß <janne@hess.ooo> | 2019-06-27 03:23:53 +0200 |
|---|---|---|
| committer | Frederik Rietdijk <freddyrietdijk@fridh.nl> | 2019-12-01 10:18:48 +0100 |
| commit | e42036ee0e77ba7c5cfae572aefa768c06623c64 (patch) | |
| tree | 8a1a2a9bd32ea7dc50c991be0c52d0b2174d5ed7 | |
| parent | 784914c46d0a1adf3dd74be4820187acffd1526c (diff) | |
| download | nixpkgs-e42036ee0e77ba7c5cfae572aefa768c06623c64.tar nixpkgs-e42036ee0e77ba7c5cfae572aefa768c06623c64.tar.gz nixpkgs-e42036ee0e77ba7c5cfae572aefa768c06623c64.tar.bz2 nixpkgs-e42036ee0e77ba7c5cfae572aefa768c06623c64.tar.lz nixpkgs-e42036ee0e77ba7c5cfae572aefa768c06623c64.tar.xz nixpkgs-e42036ee0e77ba7c5cfae572aefa768c06623c64.tar.zst nixpkgs-e42036ee0e77ba7c5cfae572aefa768c06623c64.zip | |
nixos/gitea: Sandbox the systemd service
| -rw-r--r-- | nixos/modules/services/misc/gitea.nix | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index c8c59fb256e..b6f4d88adbe 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -394,6 +394,28 @@ in WorkingDirectory = cfg.stateDir; ExecStart = "${gitea.bin}/bin/gitea web"; Restart = "always"; + + # Filesystem + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + ReadWritePaths = cfg.stateDir; + # Caps + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + # Misc. + LockPersonality = true; + RestrictRealtime = true; + PrivateMounts = true; + PrivateUsers = true; + MemoryDenyWriteExecute = true; + SystemCallFilter = "~@chown @clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @raw-io @reboot @resources @setuid @swap"; + SystemCallArchitectures = "native"; + RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; }; environment = { |