pyrox.dev / nixpkgs
lol
fork atom

nixos/pgadmin: Apply hardening options

Signed-off-by: Felix Singer <felixsinger@posteo.net>

Felix Singer 35693b32 ecb4f79d

options
unified split
Changed files
+27
nixos
modules
services
admin
pgadmin.nix
+27
nixos/modules/services/admin/pgadmin.nix 
···

       
228

       
228

       
 

       
          "initial_password:${cfg.initialPasswordFile}"


     

       
229

       
229

       
 

       
        ]


     

       
230

       
230

       
 

       
        ++ lib.optional cfg.emailServer.enable "email_password:${cfg.emailServer.passwordFile}";


     

       

       
231

       
+

       
        AmbientCapabilities = "";


     

       

       
232

       
+

       
        CapabilityBoundingSet = "";


     

       

       
233

       
+

       
        LockPersonality = true;


     

       

       
234

       
+

       
        MemoryDenyWriteExecute = true;


     

       

       
235

       
+

       
        NoNewPrivileges = true;


     

       

       
236

       
+

       
        PrivateDevices = true;


     

       

       
237

       
+

       
        PrivateMounts = true;


     

       

       
238

       
+

       
        PrivateTmp = true;


     

       

       
239

       
+

       
        ProtectClock = true;


     

       

       
240

       
+

       
        ProtectControlGroups = true;


     

       

       
241

       
+

       
        ProtectHome = true;


     

       

       
242

       
+

       
        ProtectHostname = true;


     

       

       
243

       
+

       
        ProtectKernelLogs = true;


     

       

       
244

       
+

       
        ProtectKernelModules = true;


     

       

       
245

       
+

       
        ProtectKernelTunables = true;


     

       

       
246

       
+

       
        ProtectSystem = "full";


     

       

       
247

       
+

       
        RemoveIPC = true;


     

       

       
248

       
+

       
        RestrictAddressFamilies = [


     

       

       
249

       
+

       
          "AF_UNIX"


     

       

       
250

       
+

       
          "AF_INET"


     

       

       
251

       
+

       
          "AF_INET6"


     

       

       
252

       
+

       
        ];


     

       

       
253

       
+

       
        RestrictNamespaces = true;


     

       

       
254

       
+

       
        RestrictRealtime = true;


     

       

       
255

       
+

       
        RestrictSUIDSGID = true;


     

       

       
256

       
+

       
        SystemCallArchitectures = "native";


     

       

       
257

       
+

       
        UMask = 27;


     

       
231

       
258

       
 

       
      };


     

       
232

       
259

       
 

       
    };


     

       
233

       
260