ctucx.git: nixfiles

ctucx' nixfiles

commit 9d4fe397dbd458551a0d2bc15119447b9addf8a9
parent 19dec987cffb34dcf436ed09150dae9197d2eb70
Author: Leah (ctucx) <leah@ctu.cx>
Date: Sun, 11 Sep 2022 15:44:32 +0200

modules/gotosocial: re-enable service isolation

1 file changed, 26 insertions(+), 26 deletions(-)
M
modules/gotosocial.nix
|
52
++++++++++++++++++++++++++--------------------------
diff --git a/modules/gotosocial.nix b/modules/gotosocial.nix
@@ -95,34 +95,34 @@ in {
 
           ExecStart = "${cfg.package}/bin/gotosocial --config-path /etc/gotosocial/config.yaml server start";
 
-#          NoNewPrivileges = true;
-#          PrivateTmp      = true;
-#          PrivateDevices  = false;
+          NoNewPrivileges = true;
+          PrivateTmp      = true;
+          PrivateDevices  = false;
 
-#          RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
-#          RestrictNamespaces      = true;
-#          RestrictRealtime        = true;
+          RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
+          RestrictNamespaces      = true;
+          RestrictRealtime        = true;
         
-#          ProtectSystem         = "full";
-#          ProtectControlGroups  = true;
-#          ProtectKernelModules  = true;
-#          ProtectKernelTunables = true;
-#
-#          DevicePolicy     = "closed";
-#          LockPersonality  = true;
-#          SystemCallFilter = "~@clock @debug @module @mount @obsolete @reboot @setuid @swap";
-#
-#          CapabilityBoundingSet = [
-#            "~CAP_RAWIO CAP_MKNOD"
-#            "~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE"
-#            "~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT"
-#            "~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK"
-#            "~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM"
-#            "~CAP_SYS_TTY_CONFIG"
-#            "~CAP_MAC_ADMIN CAP_MAC_OVERRIDE"
-#            "~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW"
-#            "~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG"
-#          ];
+          ProtectSystem         = "full";
+          ProtectControlGroups  = true;
+          ProtectKernelModules  = true;
+          ProtectKernelTunables = true;
+
+          DevicePolicy     = "closed";
+          LockPersonality  = true;
+          SystemCallFilter = "~@clock @debug @module @mount @obsolete @reboot @setuid @swap";
+
+          CapabilityBoundingSet = [
+            "~CAP_RAWIO CAP_MKNOD"
+            "~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE"
+            "~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT"
+            "~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK"
+            "~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM"
+            "~CAP_SYS_TTY_CONFIG"
+            "~CAP_MAC_ADMIN CAP_MAC_OVERRIDE"
+            "~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW"
+            "~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG"
+          ];
         };
       };
     };