swendel/nixpkgs
1
0
Fork 0
mirror of https://github.com/SebastianWendel/nixpkgs.git synced 2024-09-20 04:19:00 +02:00
Code Issues Packages Projects Releases Wiki Activity

nixos/komga: add systemd service hardening

Browse source
This commit is contained in:
nuko 2024-03-01 15:11:54 +13:00 committed by nu-nu-ko
parent 502f34f3e0
commit b18bcf3a04
No known key found for this signature in database
1 changed files with 27 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
nixos/modules/services/web-apps/komga.nix
View file

@ -87,6 +87,33 @@ in
ExecStart = "${pkgs.komga}/bin/komga";
StateDirectory = mkIf (cfg.stateDir == "/var/lib/komga") "komga";
RemoveIPC = true;
NoNewPrivileges = true;
CapabilityBoundingSet = "";
SystemCallFilter = [ "@system-service" ];
ProtectSystem = "full";
PrivateTmp = true;
ProtectProc = "invisible";
ProtectClock = true;
ProcSubset = "pid";
PrivateUsers = true;
PrivateDevices = true;
ProtectHostname = true;
ProtectKernelTunables = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
];
LockPersonality = true;
RestrictNamespaces = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
SystemCallArchitectures = "native";
RestrictSUIDSGID = true;
RestrictRealtime = true;
};
};
};