treewide: use bool literals for systemd
Run this from the repo root to check that there are no more remaining bool strings: grep -P '"true"|"false"' -r --exclude-dir=.git
This commit is contained in:
parent
f0ca489867
commit
c9cfcf695f
@ -193,7 +193,7 @@ in {
|
|||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
RestartSec = "10s";
|
RestartSec = "10s";
|
||||||
ReadWritePaths = [ cfg.nbxplorer.dataDir ];
|
ReadWritePaths = [ cfg.nbxplorer.dataDir ];
|
||||||
MemoryDenyWriteExecute = "false";
|
MemoryDenyWriteExecute = false;
|
||||||
} // nbLib.allowedIPAddresses cfg.nbxplorer.tor.enforce;
|
} // nbLib.allowedIPAddresses cfg.nbxplorer.tor.enforce;
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -239,7 +239,7 @@ in {
|
|||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
RestartSec = "10s";
|
RestartSec = "10s";
|
||||||
ReadWritePaths = [ cfg.btcpayserver.dataDir ];
|
ReadWritePaths = [ cfg.btcpayserver.dataDir ];
|
||||||
MemoryDenyWriteExecute = "false";
|
MemoryDenyWriteExecute = false;
|
||||||
} // nbLib.allowedIPAddresses cfg.btcpayserver.tor.enforce;
|
} // nbLib.allowedIPAddresses cfg.btcpayserver.tor.enforce;
|
||||||
}; in self;
|
}; in self;
|
||||||
|
|
||||||
|
@ -55,8 +55,8 @@ in {
|
|||||||
RemainAfterExit = true;
|
RemainAfterExit = true;
|
||||||
StateDirectory = "onion-addresses";
|
StateDirectory = "onion-addresses";
|
||||||
StateDirectoryMode = "771";
|
StateDirectoryMode = "771";
|
||||||
PrivateNetwork = "true"; # This service needs no network access
|
PrivateNetwork = true; # This service needs no network access
|
||||||
PrivateUsers = "false";
|
PrivateUsers = false;
|
||||||
CapabilityBoundingSet = "CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER";
|
CapabilityBoundingSet = "CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER";
|
||||||
};
|
};
|
||||||
script = ''
|
script = ''
|
||||||
|
36
pkgs/lib.nix
36
pkgs/lib.nix
@ -7,28 +7,28 @@ with lib;
|
|||||||
let self = {
|
let self = {
|
||||||
# These settings roughly follow systemd's "strict" security profile
|
# These settings roughly follow systemd's "strict" security profile
|
||||||
defaultHardening = {
|
defaultHardening = {
|
||||||
PrivateTmp = "true";
|
PrivateTmp = true;
|
||||||
ProtectSystem = "strict";
|
ProtectSystem = "strict";
|
||||||
ProtectHome = "true";
|
ProtectHome = true;
|
||||||
NoNewPrivileges = "true";
|
NoNewPrivileges = true;
|
||||||
PrivateDevices = "true";
|
PrivateDevices = true;
|
||||||
MemoryDenyWriteExecute = "true";
|
MemoryDenyWriteExecute = true;
|
||||||
ProtectKernelTunables = "true";
|
ProtectKernelTunables = true;
|
||||||
ProtectKernelModules = "true";
|
ProtectKernelModules = true;
|
||||||
ProtectKernelLogs = "true";
|
ProtectKernelLogs = true;
|
||||||
ProtectClock = "true";
|
ProtectClock = true;
|
||||||
ProtectProc = "invisible";
|
ProtectProc = "invisible";
|
||||||
ProcSubset = "pid";
|
ProcSubset = "pid";
|
||||||
ProtectControlGroups = "true";
|
ProtectControlGroups = true;
|
||||||
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
|
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
|
||||||
RestrictNamespaces = "true";
|
RestrictNamespaces = true;
|
||||||
LockPersonality = "true";
|
LockPersonality = true;
|
||||||
IPAddressDeny = "any";
|
IPAddressDeny = "any";
|
||||||
PrivateUsers = "true";
|
PrivateUsers = true;
|
||||||
RestrictSUIDSGID = "true";
|
RestrictSUIDSGID = true;
|
||||||
RemoveIPC = "true";
|
RemoveIPC = true;
|
||||||
RestrictRealtime = "true";
|
RestrictRealtime = true;
|
||||||
ProtectHostname = "true";
|
ProtectHostname = true;
|
||||||
CapabilityBoundingSet = "";
|
CapabilityBoundingSet = "";
|
||||||
# @system-service whitelist and docker seccomp blacklist (except for "clone"
|
# @system-service whitelist and docker seccomp blacklist (except for "clone"
|
||||||
# which is a core requirement for systemd services)
|
# which is a core requirement for systemd services)
|
||||||
@ -42,7 +42,7 @@ let self = {
|
|||||||
};
|
};
|
||||||
|
|
||||||
# nodejs applications require memory write execute for JIT compilation
|
# nodejs applications require memory write execute for JIT compilation
|
||||||
nodejs = { MemoryDenyWriteExecute = "false"; };
|
nodejs = { MemoryDenyWriteExecute = false; };
|
||||||
|
|
||||||
# Allow takes precedence over Deny.
|
# Allow takes precedence over Deny.
|
||||||
allowLocalIPAddresses = {
|
allowLocalIPAddresses = {
|
||||||
|
Loading…
Reference in New Issue
Block a user