oysteikt/nix-dotfiles
oysteikt
/
nix-dotfiles
2
0
Fork 0
Code Issues Pull Requests Activity

modules/socketActivation: misc updates

This commit is contained in:
Oystein Kristoffer Tveit 2024-01-23 05:42:22 +01:00
parent b8daea8fc1
commit 64152ef675
Signed by: oysteikt
GPG Key ID: 9F2F7D8250F35146
1 changed files with 37 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
modules/socketActivation.nix
View File

@ -121,17 +121,52 @@ in
connections-max = value.connectionsMax; connections-max = value.connectionsMax;
}; };
in ''${pkgs.systemd}/lib/systemd/systemd-socket-proxyd ${args} "${cfg.${name}.originalSocketAddress}"''; in ''${pkgs.systemd}/lib/systemd/systemd-socket-proxyd ${args} "${cfg.${name}.originalSocketAddress}"'';
CapabilityBoundingSet = "";
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateNetwork = value.privateNamespace; PrivateNetwork = value.privateNamespace;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
# ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
];
UMask = "0007";
}; };
}; };
services.${name} = { services.${name} = {
wantedBy = lib.mkForce [ ];
unitConfig = { unitConfig = {
StopWhenUnneeded = true; StopWhenUnneeded = true;
RefuseManualStart = true;
}; };
serviceConfig = lib.mkIf value.privateNamespace { serviceConfig = {
PrivateNetwork = true; PrivateNetwork = value.privateNamespace;
}; };
}; };
})); }));