commit 7762c2233c801f22cb0e377dcef2a2b510609f9b · pyrox.dev/nixpkgs

+18 -1
nixos/modules/services/backup/restic-rest-server.nix
···

       80
       80
        
               Group = "restic";

     

       81
       81
        
       

     

       82
       82
        
               # Security hardening

     

       83
       83
       -
               ReadWritePaths = [ cfg.dataDir ];

     

       83
       83
       +
               CapabilityBoundingSet = "";

     

       84
       84
       +
               LockPersonality = true;

     

       85
       85
       +
               MemoryDenyWriteExecute = true;

     

       86
       86
       +
               NoNewPrivileges = true;

     

       84
       87
        
               PrivateTmp = true;

     

       88
       88
       +
               PrivateUsers = true;

     

       89
       89
       +
               ProtectClock = true;

     

       90
       90
       +
               ProtectHome = true;

     

       91
       91
       +
               ProtectHostname = true;

     

       92
       92
       +
               ProtectKernelLogs = true;

     

       93
       93
       +
               ProtectProc = "invisible";

     

       85
       94
        
               ProtectSystem = "strict";

     

       86
       95
        
               ProtectKernelTunables = true;

     

       87
       96
        
               ProtectKernelModules = true;

     

       88
       97
        
               ProtectControlGroups = true;

     

       89
       98
        
               PrivateDevices = true;

     

       99
       99
       +
               ReadWritePaths = [ cfg.dataDir ];

     

       100
       100
       +
               RemoveIPC = true;

     

       101
       101
       +
               RestrictNamespaces = true;

     

       102
       102
       +
               RestrictRealtime = true;

     

       103
       103
       +
               RestrictSUIDSGID = true;

     

       104
       104
       +
               SystemCallArchitectures = "native";

     

       105
       105
       +
               SystemCallFilter = "@system-service";

     

       106
       106
       +
               UMask = 027;

     

       90
       107
        
             };

     

       91
       108
        
           };

     

       92
       109