pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #283298 from mkg20001/rustdesk-dynamic

rustdesk-server: use DynamicUser

Maciej Krüger 657e5c43 0da27370

options
unified split
Changed files
+1 -5
nixos
modules
services
monitoring
rustdesk-server.nix
+1 -5
nixos/modules/services/monitoring/rustdesk-server.nix 
···

       
53

       
53

       
 

       
        Slice = "system-rustdesk.slice";


     

       
54

       
54

       
 

       
        User  = "rustdesk";


     

       
55

       
55

       
 

       
        Group = "rustdesk";


     

       

       
56

       
+

       
        DynamicUser = "yes";


     

       
56

       
57

       
 

       
        Environment = [];


     

       
57

       
58

       
 

       
        WorkingDirectory = "/var/lib/rustdesk";


     

       
58

       
59

       
 

       
        StateDirectory   = "rustdesk";


     

       
59

       
60

       
 

       
        StateDirectoryMode = "0750";


     

       
60

       
61

       
 

       
        LockPersonality = true;


     

       
61

       

       
-

       
        NoNewPrivileges = true;


     

       
62

       
62

       
 

       
        PrivateDevices = true;


     

       
63

       
63

       
 

       
        PrivateMounts = true;


     

       
64

       

       
-

       
        PrivateTmp = true;


     

       
65

       
64

       
 

       
        PrivateUsers = true;


     

       
66

       
65

       
 

       
        ProtectClock = true;


     

       
67

       
66

       
 

       
        ProtectControlGroups = true;


     
···

       
71

       
70

       
 

       
        ProtectKernelModules = true;


     

       
72

       
71

       
 

       
        ProtectKernelTunables = true;


     

       
73

       
72

       
 

       
        ProtectProc = "invisible";


     

       
74

       

       
-

       
        ProtectSystem = "strict";


     

       
75

       

       
-

       
        RemoveIPC = true;


     

       
76

       
73

       
 

       
        RestrictNamespaces = true;


     

       
77

       

       
-

       
        RestrictSUIDSGID = true;


     

       
78

       
74

       
 

       
      };


     

       
79

       
75

       
 

       
    };


     

       
80

       
76

       
 

       
  in lib.mkIf cfg.enable {