diff options
| author | Robert Schütz <dev@schuetz-co.de> | 2021-05-08 18:04:01 +0200 |
|---|---|---|
| committer | Robert Schütz <dev@schuetz-co.de> | 2021-05-08 22:54:15 +0200 |
| commit | 4400ee83ecf2408489fba37fa5aa6d42804ee4b7 (patch) | |
| tree | 127be6463ce66653dbc9a063fdf11455c7360496 /nixos/modules/services/networking/znc/default.nix | |
| parent | 63586475587d7e0e078291ad4b49b6f6a6885100 (diff) | |
| download | nixpkgs-4400ee83ecf2408489fba37fa5aa6d42804ee4b7.tar nixpkgs-4400ee83ecf2408489fba37fa5aa6d42804ee4b7.tar.gz nixpkgs-4400ee83ecf2408489fba37fa5aa6d42804ee4b7.tar.bz2 nixpkgs-4400ee83ecf2408489fba37fa5aa6d42804ee4b7.tar.lz nixpkgs-4400ee83ecf2408489fba37fa5aa6d42804ee4b7.tar.xz nixpkgs-4400ee83ecf2408489fba37fa5aa6d42804ee4b7.tar.zst nixpkgs-4400ee83ecf2408489fba37fa5aa6d42804ee4b7.zip | |
nixos/znc: harden systemd unit
Diffstat (limited to 'nixos/modules/services/networking/znc/default.nix')
| -rw-r--r-- | nixos/modules/services/networking/znc/default.nix | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/znc/default.nix b/nixos/modules/services/networking/znc/default.nix index a7315896c50..83b9b85e0c6 100644 --- a/nixos/modules/services/networking/znc/default.nix +++ b/nixos/modules/services/networking/znc/default.nix @@ -258,6 +258,34 @@ in ExecStart = "${pkgs.znc}/bin/znc --foreground --datadir ${cfg.dataDir} ${escapeShellArgs cfg.extraFlags}"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; ExecStop = "${pkgs.coreutils}/bin/kill -INT $MAINPID"; + # Hardening + CapabilityBoundingSet = [ "" ]; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + ReadWritePaths = [ cfg.dataDir ]; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; + UMask = "0027"; }; preStart = '' mkdir -p ${cfg.dataDir}/configs |