foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-02-12 06:19:00 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

services/yt-dlp: update hardening options

Browse Source
This commit is contained in:
Gabriel Arazas 2022-04-29 16:54:36 +08:00
parent c86182d53a
commit c9d497c3fc
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
modules/nixos/services/yt-dlp.nix
View File

@ -66,7 +66,7 @@ in {
The location of the archive to be downloaded. Must be an absolute path. The location of the archive to be downloaded. Must be an absolute path.
''; '';
default = "/archives/yt-dlp-service"; default = "/archives/yt-dlp-service";
example = lib.literalExpression "/archiving-service/videos"; example = lib.literalExpression "/var/archives/yt-dlp-service";
}; };
extraArgs = lib.mkOption { extraArgs = lib.mkOption {
@ -129,12 +129,18 @@ in {
''; '';
startAt = value.startAt; startAt = value.startAt;
serviceConfig = { serviceConfig = {
LockPersonality = true;
NoNewPrivileges = true; NoNewPrivileges = true;
PrivateTmp = true; PrivateTmp = true;
PrivateUsers = true;
PrivateDevices = true;
ProtectControlGroups = true; ProtectControlGroups = true;
ProtectClock = true; ProtectClock = true;
ProtectKernelModules = true;
ProtectKernelLogs = true; ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
SystemCallFilter = "@system-service";
SystemCallErrorNumber = "EPERM";
}; };
}) cfg.jobs; }) cfg.jobs;
}; };