added some security options
This commit is contained in:
parent
85bae9d67d
commit
95ffbf6300
1 changed files with 24 additions and 0 deletions
24
flake.nix
24
flake.nix
|
|
@ -79,6 +79,30 @@
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
ExecStart = "${cfg.package}/bin/sTodo";
|
ExecStart = "${cfg.package}/bin/sTodo";
|
||||||
Restart = "always";
|
Restart = "always";
|
||||||
|
User = "sTodo";
|
||||||
|
Group = "sTodo";
|
||||||
|
StateDirectory = "sTodo";
|
||||||
|
StateDirectoryMode = "0700";
|
||||||
|
|
||||||
|
AmbientCapabilities = "";
|
||||||
|
CapabilityBoundingSet = "";
|
||||||
|
DeviceAllow = "";
|
||||||
|
LockPersonality = true;
|
||||||
|
MemoryDenyWriteExecute = true;
|
||||||
|
NoNewPrivileges = true;
|
||||||
|
|
||||||
|
PrivateDevices = true;
|
||||||
|
PrivateUsers = true;
|
||||||
|
|
||||||
|
ProtectClock = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
ProtectHome = "read-only";
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
ProtectProc = "noaccess";
|
||||||
|
ProtectSystem = "strict";
|
||||||
};
|
};
|
||||||
environment = {
|
environment = {
|
||||||
YESOD_PORT = "${toString cfg.port}";
|
YESOD_PORT = "${toString cfg.port}";
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue