···
++ filter (x: x != null) [
cfg.${proto}.cert or null
89
-
# Without confinement the whole Nix store
90
-
# is made available to the service
91
-
optionals (!config.systemd.services."public-inbox-${srv}".confinement.enable) [
92
-
"${pkgs.dash}/bin/dash:/bin/sh"
# The following options are only for optimizing:
# systemd-analyze security public-inbox-'*'
AmbientCapabilities = "";
···
ProtectKernelLogs = true;
ProtectProc = "invisible";
111
-
#ProtectSystem = "strict";
104
+
ProtectSystem = "strict";
RestrictAddressFamilies =
···
# Not removing @timer because git upload-pack needs it.
SystemCallArchitectures = "native";
134
-
# The following options are redundant when confinement is enabled
135
-
RootDirectory = "/var/empty";
136
-
TemporaryFileSystem = "/";
137
-
PrivateMounts = true;
138
-
MountAPIVFS = true;
139
-
PrivateDevices = true;
141
-
PrivateUsers = true;
142
-
ProtectControlGroups = true;
143
-
ProtectKernelModules = true;
144
-
ProtectKernelTunables = true;
147
-
# Until we agree upon doing it directly here in NixOS
148
-
# https://github.com/NixOS/nixpkgs/pull/104457#issuecomment-1115768447
149
-
# let the user choose to enable the confinement with:
150
-
# systemd.services.public-inbox-httpd.confinement.enable = true;
151
-
# systemd.services.public-inbox-imapd.confinement.enable = true;
152
-
# systemd.services.public-inbox-init.confinement.enable = true;
153
-
# systemd.services.public-inbox-nntpd.confinement.enable = true;
# Inline::C needs a /bin/sh, and dash is enough
binSh = "${pkgs.dash}/bin/dash";
pyrox.dev