rhi/peerix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Even less security

Browse source
This commit is contained in:
Sarah 2021-10-17 14:13:04 +02:00
parent 4ee7a3abc1
commit 1743539d93
No known key found for this signature in database
GPG key ID: 708F7ACE058F0186
1 changed files with 14 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
module.nix
View file

@ -61,7 +61,7 @@ in
User = cfg.user; User = cfg.user;
Group = cfg.group; Group = cfg.group;
PrivateMounts = true; # PrivateMounts = true;
# PrivateDevices = true; # PrivateDevices = true;
# PrivateTmp = true; # PrivateTmp = true;
# PrivateIPC = true; # PrivateIPC = true;
@ -90,20 +90,20 @@ in
# ProtectControlGroups = true; # ProtectControlGroups = true;
# RestrictNamespaces = ""; # RestrictNamespaces = "";
NoNewPrivileges = true; # NoNewPrivileges = true;
ReadOnlyPaths = lib.mkMerge [ # ReadOnlyPaths = lib.mkMerge [
([ # ([
"/nix/var" # "/nix/var"
"/nix/store" # "/nix/store"
]) # ])
(lib.mkIf (cfg.privateKeyFile != null) [ # (lib.mkIf (cfg.privateKeyFile != null) [
(toString cfg.privateKeyFile) # (toString cfg.privateKeyFile)
]) # ])
]; # ];
ExecPaths = [ # ExecPaths = [
"/nix/store" # "/nix/store"
]; # ];
Environment = lib.mkIf (cfg.privateKeyFile != null) [ Environment = lib.mkIf (cfg.privateKeyFile != null) [
"NIX_SECRET_KEY_FILE=${toString cfg.privateKeyFile}" "NIX_SECRET_KEY_FILE=${toString cfg.privateKeyFile}"
]; ];