pyrox.dev / nixpkgs
lol
fork atom

nixos/meilisearch: harden (#427768)

Yt 44759f48 35d1a227

options
unified split
Changed files
+39
nixos
modules
services
search
meilisearch.nix
+39
nixos/modules/services/search/meilisearch.nix 
···

       
237

       
237

       
 

       
        WorkingDirectory = "%S/meilisearch";


     

       
238

       
238

       
 

       
        RuntimeDirectory = "meilisearch";


     

       
239

       
239

       
 

       
        RuntimeDirectoryMode = "0700";


     

       

       
240

       
+

       



     

       

       
241

       
+

       
        ProtectSystem = "strict";


     

       

       
242

       
+

       
        ProtectHome = true;


     

       

       
243

       
+

       
        ProtectClock = true;


     

       

       
244

       
+

       
        ProtectHostname = true;


     

       

       
245

       
+

       
        ProtectKernelLogs = true;


     

       

       
246

       
+

       
        ProtectKernelModules = true;


     

       

       
247

       
+

       
        ProtectKernelTunables = true;


     

       

       
248

       
+

       
        ProtectControlGroups = true;


     

       

       
249

       
+

       
        PrivateTmp = true;


     

       

       
250

       
+

       
        PrivateMounts = true;


     

       

       
251

       
+

       
        PrivateUsers = true;


     

       

       
252

       
+

       
        PrivateDevices = true;


     

       

       
253

       
+

       
        RestrictRealtime = true;


     

       

       
254

       
+

       
        RestrictNamespaces = true;


     

       

       
255

       
+

       
        RestrictSUIDSGID = true;


     

       

       
256

       
+

       
        LockPersonality = true;


     

       

       
257

       
+

       
        MemoryDenyWriteExecute = true;


     

       

       
258

       
+

       



     

       

       
259

       
+

       
        ProcSubset = "pid";


     

       

       
260

       
+

       
        ProtectProc = "invisible";


     

       

       
261

       
+

       



     

       

       
262

       
+

       
        NoNewPrivileges = true;


     

       

       
263

       
+

       



     

       

       
264

       
+

       
        # Meilisearch does not support listening on AF_UNIX sockets,


     

       

       
265

       
+

       
        # so we currently restrict it to only AF_INET and AF_INET6.


     

       

       
266

       
+

       
        RestrictAddressFamilies = [


     

       

       
267

       
+

       
          "AF_INET"


     

       

       
268

       
+

       
          "AF_INET6"


     

       

       
269

       
+

       
        ];


     

       

       
270

       
+

       



     

       

       
271

       
+

       
        CapabilityBoundingSet = "";


     

       

       
272

       
+

       
        SystemCallArchitectures = "native";


     

       

       
273

       
+

       
        SystemCallFilter = [


     

       

       
274

       
+

       
          "@system-service"


     

       

       
275

       
+

       
          "~@privileged @resources"


     

       

       
276

       
+

       
        ];


     

       

       
277

       
+

       



     

       

       
278

       
+

       
        UMask = "0077";


     

       
240

       
279

       
 

       
      };


     

       
241

       
280

       
 

       
    };


     

       
242

       
281

       
 

       
  };