public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/gitea: Sandbox the systemd service

Browse Source
This commit is contained in:
Janne Heß 2019-06-27 03:23:53 +02:00 committed by Frederik Rietdijk
parent 784914c46d
commit e42036ee0e
1 changed files with 22 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
nixos/modules/services/misc/gitea.nix
View File

@ -394,6 +394,28 @@ in
WorkingDirectory = cfg.stateDir; WorkingDirectory = cfg.stateDir;
ExecStart = "${gitea.bin}/bin/gitea web"; ExecStart = "${gitea.bin}/bin/gitea web";
Restart = "always"; Restart = "always";
# Filesystem
ProtectSystem = "strict";
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
ReadWritePaths = cfg.stateDir;
# Caps
CapabilityBoundingSet = "";
NoNewPrivileges = true;
# Misc.
LockPersonality = true;
RestrictRealtime = true;
PrivateMounts = true;
PrivateUsers = true;
MemoryDenyWriteExecute = true;
SystemCallFilter = "~@chown @clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @raw-io @reboot @resources @setuid @swap";
SystemCallArchitectures = "native";
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
}; };
environment = { environment = {