51 lines
1.4 KiB
Nix
51 lines
1.4 KiB
Nix
{ config, lib, ... }:
|
|
let
|
|
cfg = config.services.udisks2;
|
|
in
|
|
{
|
|
services.udisks2.enable = lib.mkDefault (!config.machineVars.headless);
|
|
|
|
systemd.services.udisks2 = lib.mkIf cfg.enable {
|
|
after = lib.optionals cfg.mountOnMedia [ "systemd-tmpfiles-setup.service" ];
|
|
requires = lib.optionals cfg.mountOnMedia [ "systemd-tmpfiles-setup.service" ];
|
|
|
|
serviceConfig = {
|
|
User = "root";
|
|
Group = "root";
|
|
|
|
StateDirectory = "udisks2";
|
|
StateDirectoryMode = "0700";
|
|
RuntimeDirectory = "udisks2";
|
|
RuntimeDirectoryMode = "0755";
|
|
|
|
# A lot of the omitted Private*/Protect* settings would imply
|
|
# this to be true, which would have the daemon only mount disks
|
|
# inside its own sandbox and so breaking the main functionality.
|
|
PrivateMounts = false;
|
|
|
|
CapabilityBoundingSet = [
|
|
"CAP_SYS_ADMIN" # Needed for mount(2) and umount(2)
|
|
];
|
|
SystemCallFilter = [
|
|
"@system-service"
|
|
"~@privileged @resources"
|
|
"@chown @mount"
|
|
];
|
|
LockPersonality = true;
|
|
MemoryDenyWriteExecute = true;
|
|
NoNewPrivileges = true;
|
|
ProtectClock = true;
|
|
ProtectHostname = true;
|
|
RestrictAddressFamilies = [
|
|
"AF_UNIX"
|
|
"AF_NETLINK" # Needed to talk to udev
|
|
];
|
|
RestrictNamespaces = true;
|
|
RestrictRealtime = true;
|
|
RestrictSUIDSGID = true;
|
|
SystemCallArchitectures = "native";
|
|
UMask = "022";
|
|
};
|
|
};
|
|
}
|