foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-04-24 06:19:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

hosts/plover: update Bind systemd service config

Browse Source
This commit is contained in:
Gabriel Arazas 2023-10-14 14:05:14 +08:00
parent 680ec43428
commit 1775a0febc
No known key found for this signature in database
GPG Key ID: ADE0C41DAB221FCC
1 changed files with 6 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
hosts/plover/modules/services/bind.nix
View File

@ -209,6 +209,11 @@ in
(certCredentialPath "fullchain.pem") (certCredentialPath "fullchain.pem")
]; ];
LogFilterPatterns = [
# systemd-resolved doesn't have DNS cookie support, it seems.
"~missing expected cookie from 127.0.0.53#53"
];
# Lock and protect various system components. # Lock and protect various system components.
LockPersonality = true; LockPersonality = true;
PrivateTmp = true; PrivateTmp = true;
@ -251,10 +256,7 @@ in
# syslog for this even if the application can so no syslog capability. # syslog for this even if the application can so no syslog capability.
# Additionally, we're using omitting the program's ability to chroot and # Additionally, we're using omitting the program's ability to chroot and
# chown since the user and the directories are already configured. # chown since the user and the directories are already configured.
CapabilityBoundingSet = [ CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
"CAP_NET_BIND_SERVICE"
"CAP_NET_RAW"
];
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
# Restrict what address families can it access. # Restrict what address families can it access.
@ -278,7 +280,6 @@ in
ports = [ ports = [
53 # DNS 53 # DNS
853 # DNS-over-TLS/DNS-over-QUIC 853 # DNS-over-TLS/DNS-over-QUIC
dnsOverHTTPSPort
]; ];
in in
{ {