nixos/supybot: enable systemd sandboxing options
This commit is contained in:
Martin Milata
parent
b150e08169
commit
57f5fb62d4
|
|
@ -72,6 +72,16 @@
|
||||||
}</programlisting>
|
}</programlisting>
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
The <link linkend="opt-services.supybot.enable">supybot</link> module now uses <literal>/var/lib/supybot</literal>
|
||||||
|
as its default <link linkend="opt-services.supybot.stateDir">stateDir</link> path if <literal>stateVersion</literal>
|
||||||
|
is 20.09 or higher. It also enables number of
|
||||||
|
<link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxing">systemd sandboxing options</link>
|
||||||
|
which may possibly interfere with some plugins. If this is the case you can disable the options through attributes in
|
||||||
|
<option>systemd.services.supybot.serviceConfig</option>.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -3,13 +3,11 @@
|
||||||
with lib;
|
with lib;
|
||||||
|
|
||||||
let
|
let
|
||||||
|
|
||||||
cfg = config.services.supybot;
|
cfg = config.services.supybot;
|
||||||
|
isStateDirHome = hasPrefix "/home/" cfg.stateDir;
|
||||||
|
isStateDirVar = cfg.stateDir == "/var/lib/supybot";
|
||||||
in
|
in
|
||||||
|
|
||||||
{
|
{
|
||||||
|
|
||||||
options = {
|
options = {
|
||||||
|
|
||||||
services.supybot = {
|
services.supybot = {
|
||||||
|
|
@ -43,7 +41,6 @@ in
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
|
|
||||||
environment.systemPackages = [ pkgs.pythonPackages.limnoria ];
|
environment.systemPackages = [ pkgs.pythonPackages.limnoria ];
|
||||||
|
|
@ -79,6 +76,32 @@ in
|
||||||
Restart = "on-abort";
|
Restart = "on-abort";
|
||||||
StartLimitInterval = "5m";
|
StartLimitInterval = "5m";
|
||||||
StartLimitBurst = "1";
|
StartLimitBurst = "1";
|
||||||
|
|
||||||
|
NoNewPrivileges = true;
|
||||||
|
PrivateDevices = true;
|
||||||
|
PrivateMounts = true;
|
||||||
|
PrivateTmp = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
|
||||||
|
RestrictSUIDSGID = true;
|
||||||
|
SystemCallArchitectures = "native";
|
||||||
|
RestrictNamespaces = true;
|
||||||
|
RestrictRealtime = true;
|
||||||
|
LockPersonality = true;
|
||||||
|
MemoryDenyWriteExecute = true;
|
||||||
|
RemoveIPC = true;
|
||||||
|
ProtectHostname = true;
|
||||||
|
CapabilityBoundingSet = "";
|
||||||
|
ProtectSystem = "full";
|
||||||
|
}
|
||||||
|
// optionalAttrs isStateDirVar {
|
||||||
|
StateDirectory = "supybot";
|
||||||
|
ProtectSystem = "strict";
|
||||||
|
}
|
||||||
|
// optionalAttrs (!isStateDirHome) {
|
||||||
|
ProtectHome = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user