foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-02-07 12:19:07 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

services/gallery-dl: update hardening options

Browse Source
This commit is contained in:
Gabriel Arazas 2022-04-29 16:55:09 +08:00
parent c9d497c3fc
commit cffc206eb4
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
modules/nixos/services/gallery-dl.nix
View File

@ -73,7 +73,7 @@ in {
to be created at the time of running the service.
'';
default = "/archives/gallery-dl-service";
example = lib.literalExpression "/archiving-service/photos";
example = lib.literalExpression "/var/archives/gallery-dl-services";
};
settings = lib.mkOption {
@ -153,12 +153,18 @@ in {
'';
startAt = value.startAt;
serviceConfig = {
LockPersonality = true;
NoNewPrivileges = true;
PrivateTmp = true;
PrivateUsers = true;
PrivateDevices = true;
ProtectControlGroups = true;
ProtectClock = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
SystemCallFilter = "@system-service";
SystemCallErrorNumber = "EPERM";
};
}) cfg.jobs;
};