commit fae4917f2f72fa00cf0c4e34d2507c5b96a2f6bb · pyrox.dev/nixpkgs

+39 -1
nixos/modules/services/misc/homepage-dashboard.nix
···

       232
       232
        
       

     

       233
       233
        
             serviceConfig = {

     

       234
       234
        
               Type = "simple";

     

       235
       235
       -
               DynamicUser = true;

     

       236
       235
        
               EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile;

     

       237
       236
        
               StateDirectory = "homepage-dashboard";

     

       238
       237
        
               CacheDirectory = "homepage-dashboard";

     

       239
       238
        
               ExecStart = lib.getExe cfg.package;

     

       240
       239
        
               Restart = "on-failure";

     

       240
       240
       +
       

     

       241
       241
       +
               # hardening

     

       242
       242
       +
               DynamicUser = true;

     

       243
       243
       +
               DevicePolicy = "closed";

     

       244
       244
       +
               CapabilityBoundingSet = "";

     

       245
       245
       +
               RestrictAddressFamilies = [

     

       246
       246
       +
                 "AF_INET"

     

       247
       247
       +
                 "AF_INET6"

     

       248
       248
       +
                 "AF_UNIX"

     

       249
       249
       +
                 "AF_NETLINK"

     

       250
       250
       +
               ];

     

       251
       251
       +
               DeviceAllow = "";

     

       252
       252
       +
               NoNewPrivileges = true;

     

       253
       253
       +
               PrivateDevices = true;

     

       254
       254
       +
               PrivateMounts = true;

     

       255
       255
       +
               PrivateTmp = true;

     

       256
       256
       +
               PrivateUsers = true;

     

       257
       257
       +
               ProtectClock = true;

     

       258
       258
       +
               ProtectControlGroups = true;

     

       259
       259
       +
               ProtectHome = true;

     

       260
       260
       +
               ProtectKernelLogs = true;

     

       261
       261
       +
               ProtectKernelModules = true;

     

       262
       262
       +
               ProtectKernelTunables = true;

     

       263
       263
       +
               ProtectSystem = "strict";

     

       264
       264
       +
               LockPersonality = true;

     

       265
       265
       +
               RemoveIPC = true;

     

       266
       266
       +
               RestrictNamespaces = true;

     

       267
       267
       +
               RestrictRealtime = true;

     

       268
       268
       +
               RestrictSUIDSGID = true;

     

       269
       269
       +
               SystemCallArchitectures = "native";

     

       270
       270
       +
               SystemCallFilter = [

     

       271
       271
       +
                 "@system-service"

     

       272
       272
       +
                 "~@resources"

     

       273
       273
       +
               ];

     

       274
       274
       +
               ProtectProc = "invisible";

     

       275
       275
       +
               ProtectHostname = true;

     

       276
       276
       +
               UMask = "0077";

     

       277
       277
       +
               # cpu widget requires access to /proc

     

       278
       278
       +
               ProcSubset = if lib.any (widget: widget.resources.cpu or false) cfg.widgets then "all" else "pid";

     

       241
       279
        
             };

     

       242
       280
        
       

     

       243
       281
        
             enableStrictShellChecks = true;