nixos/shiori: harden service with systemd

This commit is contained in:
Minijackson 2020-10-02 20:31:38 +02:00 committed by Bjørn Forsman
parent 4ce6364e29
commit 3fce272478

View File

@ -37,11 +37,60 @@ in {
description = "Shiori simple bookmarks manager"; description = "Shiori simple bookmarks manager";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
environment.SHIORI_DIR = "/var/lib/shiori";
serviceConfig = { serviceConfig = {
ExecStart = "${package}/bin/shiori serve --address '${address}' --port '${toString port}'"; ExecStart = "${package}/bin/shiori serve --address '${address}' --port '${toString port}'";
DynamicUser = true; DynamicUser = true;
Environment = "SHIORI_DIR=/var/lib/shiori";
StateDirectory = "shiori"; StateDirectory = "shiori";
# As the RootDirectory
RuntimeDirectory = "shiori";
# Security options
BindReadOnlyPaths = [
"/nix/store"
# For SSL certificates, and the resolv.conf
"/etc"
];
CapabilityBoundingSet = "";
DeviceAllow = "";
LockPersonality = true;
MemoryDenyWriteExecute = true;
PrivateDevices = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RestrictNamespaces = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictRealtime = true;
RestrictSUIDSGID = true;
RootDirectory = "/run/shiori";
SystemCallArchitectures = "native";
SystemCallErrorNumber = "EPERM";
SystemCallFilter = [
"@system-service"
"~@chown" "~@cpu-emulation" "~@debug" "~@ipc" "~@keyring" "~@memlock"
"~@module" "~@obsolete" "~@privileged" "~@process" "~@raw-io"
"~@resources" "~@setuid"
];
}; };
}; };
}; };