pyrox.dev / nixpkgs
lol
fork atom

nixos/ympd: Unit hardening

Next to some systemd unit hardening, the nobody user isn't used anymore,
as suggested in #55370.

Alvar Penning 63dd9fb5 a8f2090b

options
unified split
Changed files
+39 -1
nixos
modules
services
audio
ympd.nix
+39 -1
nixos/modules/services/audio/ympd.nix 
···

       
48

       
 

       



     

       
49

       
 

       
    systemd.services.ympd = {


     

       
50

       
 

       
      description = "Standalone MPD Web GUI written in C";


     

       

       

       
     

       
51

       
 

       
      wantedBy = [ "multi-user.target" ];


     

       
52

       
-

       
      serviceConfig.ExecStart = "${pkgs.ympd}/bin/ympd --host ${cfg.mpd.host} --port ${toString cfg.mpd.port} --webport ${toString cfg.webPort} --user nobody";


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
53

       
 

       
    };


     

       
54

       
 

       



     

       
55

       
 

       
  };


     
···

       
48

       
 

       



     

       
49

       
 

       
    systemd.services.ympd = {


     

       
50

       
 

       
      description = "Standalone MPD Web GUI written in C";


     

       
51

       
+

       



     

       
52

       
 

       
      wantedBy = [ "multi-user.target" ];


     

       
53

       
+

       
      after = [ "network-online.target" ];


     

       
54

       
+

       



     

       
55

       
+

       
      serviceConfig = {


     

       
56

       
+

       
        ExecStart = ''


     

       
57

       
+

       
          ${pkgs.ympd}/bin/ympd \


     

       
58

       
+

       
            --host ${cfg.mpd.host} \


     

       
59

       
+

       
            --port ${toString cfg.mpd.port} \


     

       
60

       
+

       
            --webport ${toString cfg.webPort}


     

       
61

       
+

       
        '';


     

       
62

       
+

       



     

       
63

       
+

       
        DynamicUser = true;


     

       
64

       
+

       
        NoNewPrivileges = true;


     

       
65

       
+

       



     

       
66

       
+

       
        ProtectProc = "invisible";


     

       
67

       
+

       
        ProtectSystem = "strict";


     

       
68

       
+

       
        ProtectHome = "tmpfs";


     

       
69

       
+

       



     

       
70

       
+

       
        PrivateTmp = true;


     

       
71

       
+

       
        PrivateDevices = true;


     

       
72

       
+

       
        PrivateIPC = true;


     

       
73

       
+

       



     

       
74

       
+

       
        ProtectHostname = true;


     

       
75

       
+

       
        ProtectClock = true;


     

       
76

       
+

       
        ProtectKernelTunables = true;


     

       
77

       
+

       
        ProtectKernelModules = true;


     

       
78

       
+

       
        ProtectKernelLogs = true;


     

       
79

       
+

       
        ProtectControlGroups = true;


     

       
80

       
+

       



     

       
81

       
+

       
        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];


     

       
82

       
+

       
        RestrictRealtime = true;


     

       
83

       
+

       
        RestrictSUIDSGID = true;


     

       
84

       
+

       



     

       
85

       
+

       
        SystemCallFilter = [


     

       
86

       
+

       
          "@system-service"


     

       
87

       
+

       
          "~@process"


     

       
88

       
+

       
          "~@setuid"


     

       
89

       
+

       
        ];


     

       
90

       
+

       
      };


     

       
91

       
 

       
    };


     

       
92

       
 

       



     

       
93

       
 

       
  };