diff options
author | Alvar Penning <post@0x21.biz> | 2023-01-14 20:20:00 +0100 |
---|---|---|
committer | Rick van Schijndel <Mindavi@users.noreply.github.com> | 2023-02-09 19:10:19 +0100 |
commit | 63dd9fb5c8b99209ea9fea0ab9aeb82f2710dba0 (patch) | |
tree | 7c847654eac3059dc30254544e0777dd14bfb55d /nixos/modules/services/audio | |
parent | a8f2090bc8264a0bae90583a60e28e7d9ac5fc7a (diff) | |
download | nixlib-63dd9fb5c8b99209ea9fea0ab9aeb82f2710dba0.tar nixlib-63dd9fb5c8b99209ea9fea0ab9aeb82f2710dba0.tar.gz nixlib-63dd9fb5c8b99209ea9fea0ab9aeb82f2710dba0.tar.bz2 nixlib-63dd9fb5c8b99209ea9fea0ab9aeb82f2710dba0.tar.lz nixlib-63dd9fb5c8b99209ea9fea0ab9aeb82f2710dba0.tar.xz nixlib-63dd9fb5c8b99209ea9fea0ab9aeb82f2710dba0.tar.zst nixlib-63dd9fb5c8b99209ea9fea0ab9aeb82f2710dba0.zip |
nixos/ympd: Unit hardening
Next to some systemd unit hardening, the nobody user isn't used anymore, as suggested in #55370.
Diffstat (limited to 'nixos/modules/services/audio')
-rw-r--r-- | nixos/modules/services/audio/ympd.nix | 40 |
1 files changed, 39 insertions, 1 deletions
diff --git a/nixos/modules/services/audio/ympd.nix b/nixos/modules/services/audio/ympd.nix index 811b81030efc..b74cc3f9c0b4 100644 --- a/nixos/modules/services/audio/ympd.nix +++ b/nixos/modules/services/audio/ympd.nix @@ -48,8 +48,46 @@ in { systemd.services.ympd = { description = "Standalone MPD Web GUI written in C"; + wantedBy = [ "multi-user.target" ]; - serviceConfig.ExecStart = "${pkgs.ympd}/bin/ympd --host ${cfg.mpd.host} --port ${toString cfg.mpd.port} --webport ${toString cfg.webPort} --user nobody"; + after = [ "network-online.target" ]; + + serviceConfig = { + ExecStart = '' + ${pkgs.ympd}/bin/ympd \ + --host ${cfg.mpd.host} \ + --port ${toString cfg.mpd.port} \ + --webport ${toString cfg.webPort} + ''; + + DynamicUser = true; + NoNewPrivileges = true; + + ProtectProc = "invisible"; + ProtectSystem = "strict"; + ProtectHome = "tmpfs"; + + PrivateTmp = true; + PrivateDevices = true; + PrivateIPC = true; + + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictRealtime = true; + RestrictSUIDSGID = true; + + SystemCallFilter = [ + "@system-service" + "~@process" + "~@setuid" + ]; + }; }; }; |