treewide: use bool literals for systemd

Run this from the repo root to check that there are no more remaining
bool strings:
grep -P '"true"|"false"' -r --exclude-dir=.git
This commit is contained in:
Erik Arvstedt 2023-01-20 13:45:07 +01:00 committed by Greg Shuflin
parent f0ca489867
commit c9cfcf695f
3 changed files with 22 additions and 22 deletions

View File

@ -193,7 +193,7 @@ in {
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
ReadWritePaths = [ cfg.nbxplorer.dataDir ]; ReadWritePaths = [ cfg.nbxplorer.dataDir ];
MemoryDenyWriteExecute = "false"; MemoryDenyWriteExecute = false;
} // nbLib.allowedIPAddresses cfg.nbxplorer.tor.enforce; } // nbLib.allowedIPAddresses cfg.nbxplorer.tor.enforce;
}; };
@ -239,7 +239,7 @@ in {
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
ReadWritePaths = [ cfg.btcpayserver.dataDir ]; ReadWritePaths = [ cfg.btcpayserver.dataDir ];
MemoryDenyWriteExecute = "false"; MemoryDenyWriteExecute = false;
} // nbLib.allowedIPAddresses cfg.btcpayserver.tor.enforce; } // nbLib.allowedIPAddresses cfg.btcpayserver.tor.enforce;
}; in self; }; in self;

View File

@ -55,8 +55,8 @@ in {
RemainAfterExit = true; RemainAfterExit = true;
StateDirectory = "onion-addresses"; StateDirectory = "onion-addresses";
StateDirectoryMode = "771"; StateDirectoryMode = "771";
PrivateNetwork = "true"; # This service needs no network access PrivateNetwork = true; # This service needs no network access
PrivateUsers = "false"; PrivateUsers = false;
CapabilityBoundingSet = "CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER"; CapabilityBoundingSet = "CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER";
}; };
script = '' script = ''

View File

@ -7,28 +7,28 @@ with lib;
let self = { let self = {
# These settings roughly follow systemd's "strict" security profile # These settings roughly follow systemd's "strict" security profile
defaultHardening = { defaultHardening = {
PrivateTmp = "true"; PrivateTmp = true;
ProtectSystem = "strict"; ProtectSystem = "strict";
ProtectHome = "true"; ProtectHome = true;
NoNewPrivileges = "true"; NoNewPrivileges = true;
PrivateDevices = "true"; PrivateDevices = true;
MemoryDenyWriteExecute = "true"; MemoryDenyWriteExecute = true;
ProtectKernelTunables = "true"; ProtectKernelTunables = true;
ProtectKernelModules = "true"; ProtectKernelModules = true;
ProtectKernelLogs = "true"; ProtectKernelLogs = true;
ProtectClock = "true"; ProtectClock = true;
ProtectProc = "invisible"; ProtectProc = "invisible";
ProcSubset = "pid"; ProcSubset = "pid";
ProtectControlGroups = "true"; ProtectControlGroups = true;
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
RestrictNamespaces = "true"; RestrictNamespaces = true;
LockPersonality = "true"; LockPersonality = true;
IPAddressDeny = "any"; IPAddressDeny = "any";
PrivateUsers = "true"; PrivateUsers = true;
RestrictSUIDSGID = "true"; RestrictSUIDSGID = true;
RemoveIPC = "true"; RemoveIPC = true;
RestrictRealtime = "true"; RestrictRealtime = true;
ProtectHostname = "true"; ProtectHostname = true;
CapabilityBoundingSet = ""; CapabilityBoundingSet = "";
# @system-service whitelist and docker seccomp blacklist (except for "clone" # @system-service whitelist and docker seccomp blacklist (except for "clone"
# which is a core requirement for systemd services) # which is a core requirement for systemd services)
@ -42,7 +42,7 @@ let self = {
}; };
# nodejs applications require memory write execute for JIT compilation # nodejs applications require memory write execute for JIT compilation
nodejs = { MemoryDenyWriteExecute = "false"; }; nodejs = { MemoryDenyWriteExecute = false; };
# Allow takes precedence over Deny. # Allow takes precedence over Deny.
allowLocalIPAddresses = { allowLocalIPAddresses = {