Merge pull request #282758 from rht/hardware_no_network

hddfancontrol & thinkfan: disable network access.
2024-09-20 04:19:00 +02:00 · 2024-02-24 00:15:24 +01:00 · 2024-02-24 00:15:24 +01:00 · ed9121e5d7
parent 9373b48ffe cee68718db
commit ed9121e5d7
2 changed files with 11 additions and 2 deletions
--- a/nixos/modules/services/hardware/hddfancontrol.nix
+++ b/nixos/modules/services/hardware/hddfancontrol.nix
@ -60,6 +60,10 @@ in
      systemd.services.hddfancontrol = {
        wantedBy = [ "multi-user.target" ];
        environment.HDDFANCONTROL_ARGS = lib.escapeShellArgs args;
+        serviceConfig = {
+          # Hardening
+          PrivateNetwork = true;
+        };
      };
    }
  );
--- a/nixos/modules/services/hardware/thinkfan.nix
+++ b/nixos/modules/services/hardware/thinkfan.nix
@ -217,8 +217,13 @@ in {

    systemd.services = {
      thinkfan.environment.THINKFAN_ARGS = escapeShellArgs ([ "-c" configFile ] ++ cfg.extraArgs);
-      thinkfan.serviceConfig.Restart = "on-failure";
-      thinkfan.serviceConfig.RestartSec = "30s";
+      thinkfan.serviceConfig = {
+        Restart = "on-failure";
+        RestartSec = "30s";
+
+        # Hardening
+        PrivateNetwork = true;
+      };

      # must be added manually, see issue #81138
      thinkfan.wantedBy = [ "multi-user.target" ];