nixos/shiori: harden service with systemd
This commit is contained in:
parent
4ce6364e29
commit
3fce272478
@ -37,11 +37,60 @@ in {
|
|||||||
description = "Shiori simple bookmarks manager";
|
description = "Shiori simple bookmarks manager";
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
|
||||||
|
environment.SHIORI_DIR = "/var/lib/shiori";
|
||||||
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
ExecStart = "${package}/bin/shiori serve --address '${address}' --port '${toString port}'";
|
ExecStart = "${package}/bin/shiori serve --address '${address}' --port '${toString port}'";
|
||||||
|
|
||||||
DynamicUser = true;
|
DynamicUser = true;
|
||||||
Environment = "SHIORI_DIR=/var/lib/shiori";
|
|
||||||
StateDirectory = "shiori";
|
StateDirectory = "shiori";
|
||||||
|
# As the RootDirectory
|
||||||
|
RuntimeDirectory = "shiori";
|
||||||
|
|
||||||
|
# Security options
|
||||||
|
|
||||||
|
BindReadOnlyPaths = [
|
||||||
|
"/nix/store"
|
||||||
|
|
||||||
|
# For SSL certificates, and the resolv.conf
|
||||||
|
"/etc"
|
||||||
|
];
|
||||||
|
|
||||||
|
CapabilityBoundingSet = "";
|
||||||
|
|
||||||
|
DeviceAllow = "";
|
||||||
|
|
||||||
|
LockPersonality = true;
|
||||||
|
|
||||||
|
MemoryDenyWriteExecute = true;
|
||||||
|
|
||||||
|
PrivateDevices = true;
|
||||||
|
PrivateUsers = true;
|
||||||
|
|
||||||
|
ProtectClock = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
ProtectHome = true;
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
|
||||||
|
RestrictNamespaces = true;
|
||||||
|
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
|
||||||
|
RestrictRealtime = true;
|
||||||
|
RestrictSUIDSGID = true;
|
||||||
|
|
||||||
|
RootDirectory = "/run/shiori";
|
||||||
|
|
||||||
|
SystemCallArchitectures = "native";
|
||||||
|
SystemCallErrorNumber = "EPERM";
|
||||||
|
SystemCallFilter = [
|
||||||
|
"@system-service"
|
||||||
|
|
||||||
|
"~@chown" "~@cpu-emulation" "~@debug" "~@ipc" "~@keyring" "~@memlock"
|
||||||
|
"~@module" "~@obsolete" "~@privileged" "~@process" "~@raw-io"
|
||||||
|
"~@resources" "~@setuid"
|
||||||
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
Loading…
Reference in New Issue
Block a user