Compare commits
4 Commits
48752c9549
...
44b8c9d4a3
Author | SHA1 | Date |
---|---|---|
Oystein Kristoffer Tveit | 44b8c9d4a3 | |
Oystein Kristoffer Tveit | ef418bf125 | |
Oystein Kristoffer Tveit | 945d53cdb4 | |
Oystein Kristoffer Tveit | cf3b62e01e |
3
base.nix
3
base.nix
|
@ -174,7 +174,6 @@
|
|||
extraConfig = "return 444;";
|
||||
};
|
||||
|
||||
# TODO: upstream
|
||||
# source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service
|
||||
systemd.services.logrotate = {
|
||||
documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
|
||||
|
@ -211,8 +210,6 @@
|
|||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = [
|
||||
"@system-service"
|
||||
# "~@privileged"
|
||||
# "~@resources"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
|
@ -31,7 +31,7 @@ in
|
|||
PrivateMounts = true;
|
||||
ProtectClock = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHome = true; # Needed to read passwords from /run maybe?
|
||||
ProtectHome = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
|
@ -45,8 +45,6 @@ in
|
|||
KeyringMode = "private";
|
||||
SystemCallFilter = [
|
||||
"@system-service"
|
||||
# "~@privileged"
|
||||
# "~@resources"
|
||||
];
|
||||
};
|
||||
});
|
||||
|
|
|
@ -71,8 +71,6 @@ in {
|
|||
AmbientCapabilities = [ "" ];
|
||||
CapabilityBoundingSet = [ "" ];
|
||||
DeviceAllow = [ "" ];
|
||||
# IPAddressDeny = [ "any" ];
|
||||
# IPAddressAllow = [ ];
|
||||
LockPersonality = true;
|
||||
NoNewPrivileges = true;
|
||||
# MemoryDenyWriteExecute = true;
|
||||
|
|
Loading…
Reference in New Issue