···
++ filter (x: x != null) [
cfg.${proto}.cert or null
-
# Without confinement the whole Nix store
-
# is made available to the service
-
optionals (!config.systemd.services."public-inbox-${srv}".confinement.enable) [
-
"${pkgs.dash}/bin/dash:/bin/sh"
# The following options are only for optimizing:
# systemd-analyze security public-inbox-'*'
AmbientCapabilities = "";
···
ProtectKernelLogs = true;
ProtectProc = "invisible";
-
#ProtectSystem = "strict";
RestrictAddressFamilies =
···
# Not removing @timer because git upload-pack needs it.
SystemCallArchitectures = "native";
-
# The following options are redundant when confinement is enabled
-
RootDirectory = "/var/empty";
-
TemporaryFileSystem = "/";
-
ProtectControlGroups = true;
-
ProtectKernelModules = true;
-
ProtectKernelTunables = true;
-
# Until we agree upon doing it directly here in NixOS
-
# https://github.com/NixOS/nixpkgs/pull/104457#issuecomment-1115768447
-
# let the user choose to enable the confinement with:
-
# systemd.services.public-inbox-httpd.confinement.enable = true;
-
# systemd.services.public-inbox-imapd.confinement.enable = true;
-
# systemd.services.public-inbox-init.confinement.enable = true;
-
# systemd.services.public-inbox-nntpd.confinement.enable = true;
# Inline::C needs a /bin/sh, and dash is enough
binSh = "${pkgs.dash}/bin/dash";
pyrox.dev