robin/tasmota-backup
1
0
Fork 0
mirror of https://codeberg.org/icewind/tasmota-backup.git synced 2026-06-03 14:24:08 +02:00
Code Issues Projects Releases Packages Wiki Activity

module confinement

Browse source
This commit is contained in:
Robin Appelman 2024-10-30 20:34:13 +01:00
commit 369dd4d9f3
1 changed files with 15 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

17
module.nix
View file

@ -83,7 +83,7 @@ in
"mqtt_password:${cfg.mqtt.passwordFile}" "mqtt_password:${cfg.mqtt.passwordFile}"
"device_password:${cfg.devicePasswordFile}" "device_password:${cfg.devicePasswordFile}"
]; ];
ReadWritePaths = [ cfg.outputPath ]; BindPaths = [ cfg.outputPath ];
User = "tasmota-backup"; User = "tasmota-backup";
Restart = "on-failure"; Restart = "on-failure";
PrivateTmp = true; PrivateTmp = true;
@ -106,10 +106,23 @@ in
RestrictRealtime = true; RestrictRealtime = true;
ProtectProc = "noaccess"; ProtectProc = "noaccess";
SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ]; SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ];
IPAddressDeny = "multicast"; IPAddressDeny = mkDefault "multicast";
PrivateUsers = true; PrivateUsers = true;
ProcSubset = "pid"; ProcSubset = "pid";
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
# needed for dns with confinement
BindReadOnlyPaths = [
"-/etc/resolv.conf"
"-/run/systemd"
"/etc/hosts"
"/etc/ssl/certs/ca-certificates.crt"
];
};
confinement = {
enable = true;
binSh = null;
}; };
}; };