diff options
author | Luflosi <luflosi@luflosi.de> | 2022-03-17 16:40:54 +0100 |
---|---|---|
committer | Luflosi <luflosi@luflosi.de> | 2022-03-22 11:12:14 +0100 |
commit | 41d45d674a3460b4984c6e3917f7cf231d0ec386 (patch) | |
tree | d7d591a02b4a46d54a2e089633e328a18d32255b /nixos/modules/services | |
parent | 5dbd4b2b27e24eaed6a79603875493b15b999d4b (diff) | |
download | nixpkgs-41d45d674a3460b4984c6e3917f7cf231d0ec386.tar nixpkgs-41d45d674a3460b4984c6e3917f7cf231d0ec386.tar.gz nixpkgs-41d45d674a3460b4984c6e3917f7cf231d0ec386.tar.bz2 nixpkgs-41d45d674a3460b4984c6e3917f7cf231d0ec386.tar.lz nixpkgs-41d45d674a3460b4984c6e3917f7cf231d0ec386.tar.xz nixpkgs-41d45d674a3460b4984c6e3917f7cf231d0ec386.tar.zst nixpkgs-41d45d674a3460b4984c6e3917f7cf231d0ec386.zip |
nixos/ipfs: add systemd hardening
Use the hardened systemd unit from upstream.
Diffstat (limited to 'nixos/modules/services')
-rw-r--r-- | nixos/modules/services/network-filesystems/ipfs.nix | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/nixos/modules/services/network-filesystems/ipfs.nix b/nixos/modules/services/network-filesystems/ipfs.nix index 17da020bf3e..655785b99d8 100644 --- a/nixos/modules/services/network-filesystems/ipfs.nix +++ b/nixos/modules/services/network-filesystems/ipfs.nix @@ -239,7 +239,10 @@ in "d '${cfg.ipnsMountDir}' - ${cfg.user} ${cfg.group} - -" ]; - systemd.packages = [ cfg.package ]; + # The hardened systemd unit breaks the fuse-mount function according to documentation in the unit file itself + systemd.packages = if cfg.autoMount + then [ cfg.package.systemd_unit ] + else [ cfg.package.systemd_unit_hardened ]; systemd.services.ipfs = { path = [ "/run/wrappers" cfg.package ]; @@ -275,6 +278,8 @@ in ExecStart = [ "" "${cfg.package}/bin/ipfs daemon ${ipfsFlags}" ]; User = cfg.user; Group = cfg.group; + StateDirectory = ""; + ReadWritePaths = [ "" cfg.dataDir ]; } // optionalAttrs (cfg.serviceFdlimit != null) { LimitNOFILE = cfg.serviceFdlimit; }; } // optionalAttrs (!cfg.startWhenNeeded) { wantedBy = [ "default.target" ]; |