spiretf/dispenser
1
0
Fork 0
mirror of https://codeberg.org/spire/dispenser.git synced 2026-06-03 10:04:07 +02:00
Code Issues Projects Releases Packages Wiki Activity

stricter service

Browse source
This commit is contained in:
Robin Appelman 2022-07-17 16:53:31 +02:00
commit f95d60e94d
1 changed files with 2 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

11
flake.nix
View file

@ -29,7 +29,7 @@
# `nix develop`
devShell = pkgs.mkShell {
nativeBuildInputs = with pkgs; [rustc cargo];
nativeBuildInputs = with pkgs; [rustc cargo bacon];
};
})
// {
@ -197,12 +197,6 @@
};
config = mkIf cfg.enable {
users.groups.dispenser = {};
users.users.dispenser = {
isSystemUser = true;
group = "dispenser";
};
systemd.services.dispenser = let
pkg = self.defaultPackage.${pkgs.system};
in {
@ -213,7 +207,7 @@
Restart = "on-failure";
DynamicUser = true;
PrivateTmp = true;
ProtectSystem = "full";
ProtectSystem = "strict";
ProtectHome = true;
NoNewPrivileges = true;
PrivateDevices = true;
@ -231,7 +225,6 @@
RestrictAddressFamilies = "AF_INET AF_INET6";
RestrictRealtime = true;
ProtectProc = "noaccess";
PrivateUsers = true;
SystemCallFilter = ["@system-service" "~@resources" "~@privileged"];
IPAddressDeny = "localhost link-local multicast";
};