greg/nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

treewide: use bool literals for systemd

Browse Source 
Run this from the repo root to check that there are no more remaining
bool strings:
grep -P '"true"|"false"' -r --exclude-dir=.git
This commit is contained in:
Erik Arvstedt
2023-01-20 13:45:07 +01:00
parent 84fc4d48d3
commit b76728a1ec
3 changed files with 22 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
pkgs/lib.nix
View File

@@ -7,28 +7,28 @@ with lib;
let self = {
# These settings roughly follow systemd's "strict" security profile
defaultHardening = {
PrivateTmp = "true";
PrivateTmp = true;
ProtectSystem = "strict";
ProtectHome = "true";
NoNewPrivileges = "true";
PrivateDevices = "true";
MemoryDenyWriteExecute = "true";
ProtectKernelTunables = "true";
ProtectKernelModules = "true";
ProtectKernelLogs = "true";
ProtectClock = "true";
ProtectHome = true;
NoNewPrivileges = true;
PrivateDevices = true;
MemoryDenyWriteExecute = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectClock = true;
ProtectProc = "invisible";
ProcSubset = "pid";
ProtectControlGroups = "true";
ProtectControlGroups = true;
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
RestrictNamespaces = "true";
LockPersonality = "true";
RestrictNamespaces = true;
LockPersonality = true;
IPAddressDeny = "any";
PrivateUsers = "true";
RestrictSUIDSGID = "true";
RemoveIPC = "true";
RestrictRealtime = "true";
ProtectHostname = "true";
PrivateUsers = true;
RestrictSUIDSGID = true;
RemoveIPC = true;
RestrictRealtime = true;
ProtectHostname = true;
CapabilityBoundingSet = "";
# @system-service whitelist and docker seccomp blacklist (except for "clone"
# which is a core requirement for systemd services)
@@ -42,7 +42,7 @@ let self = {
};
# nodejs applications require memory write execute for JIT compilation
nodejs = { MemoryDenyWriteExecute = "false"; };
nodejs = { MemoryDenyWriteExecute = false; };
# Allow takes precedence over Deny.
allowLocalIPAddresses = {