pyrox.dev / nixpkgs
lol
fork atom

nixos/parsoid: enable systemd sandboxing

Martin Milata 9b0a9577 3b27f4d9

options
unified split
Changed files
+22 -1
nixos
modules
services
misc
parsoid.nix
+22 -1
nixos/modules/services/misc/parsoid.nix 
···

       
98

       
98

       
 

       
      wantedBy = [ "multi-user.target" ];


     

       
99

       
99

       
 

       
      after = [ "network.target" ];


     

       
100

       
100

       
 

       
      serviceConfig = {


     

       
101

       

       
-

       
        User = "nobody";


     

       
102

       
101

       
 

       
        ExecStart = "${parsoid}/lib/node_modules/parsoid/bin/server.js -c ${confFile} -n ${toString cfg.workers}";


     

       

       
102

       
+

       



     

       

       
103

       
+

       
        DynamicUser = true;


     

       

       
104

       
+

       
        User = "parsoid";


     

       

       
105

       
+

       
        Group = "parsoid";


     

       

       
106

       
+

       



     

       

       
107

       
+

       
        CapabilityBoundingSet = "";


     

       

       
108

       
+

       
        NoNewPrivileges = true;


     

       

       
109

       
+

       
        ProtectSystem = "strict";


     

       

       
110

       
+

       
        ProtectHome = true;


     

       

       
111

       
+

       
        PrivateTmp = true;


     

       

       
112

       
+

       
        PrivateDevices = true;


     

       

       
113

       
+

       
        ProtectHostname = true;


     

       

       
114

       
+

       
        ProtectKernelTunables = true;


     

       

       
115

       
+

       
        ProtectKernelModules = true;


     

       

       
116

       
+

       
        ProtectControlGroups = true;


     

       

       
117

       
+

       
        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];


     

       

       
118

       
+

       
        RestrictNamespaces = true;


     

       

       
119

       
+

       
        LockPersonality = true;


     

       

       
120

       
+

       
        #MemoryDenyWriteExecute = true;


     

       

       
121

       
+

       
        RestrictRealtime = true;


     

       

       
122

       
+

       
        RestrictSUIDSGID = true;


     

       

       
123

       
+

       
        RemoveIPC = true;


     

       
103

       
124

       
 

       
      };


     

       
104

       
125

       
 

       
    };


     

       
105

       
126