BoomMicrophone/nixpkgs-suyu
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

nixos/ympd: Unit hardening

Browse source 
Next to some systemd unit hardening, the nobody user isn't used anymore,
as suggested in #55370.
This commit is contained in:
Alvar Penning 2023-01-14 20:20:00 +01:00 committed by Rick van Schijndel
parent a8f2090bc8
commit 63dd9fb5c8
1 changed files with 39 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

40
nixos/modules/services/audio/ympd.nix
View file

@ -48,8 +48,46 @@ in {
systemd.services.ympd = { systemd.services.ympd = {
description = "Standalone MPD Web GUI written in C"; description = "Standalone MPD Web GUI written in C";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = "${pkgs.ympd}/bin/ympd --host ${cfg.mpd.host} --port ${toString cfg.mpd.port} --webport ${toString cfg.webPort} --user nobody"; after = [ "network-online.target" ];
serviceConfig = {
ExecStart = ''
${pkgs.ympd}/bin/ympd \
--host ${cfg.mpd.host} \
--port ${toString cfg.mpd.port} \
--webport ${toString cfg.webPort}
'';
DynamicUser = true;
NoNewPrivileges = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
ProtectHome = "tmpfs";
PrivateTmp = true;
PrivateDevices = true;
PrivateIPC = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallFilter = [
"@system-service"
"~@process"
"~@setuid"
];
};
}; };
}; };