diff options
author | Ivan Trubach <mr.trubach@icloud.com> | 2023-11-20 06:58:36 +0300 |
---|---|---|
committer | Ivan Trubach <mr.trubach@icloud.com> | 2023-11-20 07:11:34 +0300 |
commit | 5c898bec57e89cd4ceaf8d18140773fdba2447c8 (patch) | |
tree | 12e9bca53129b9f261494cc05fa2323c65ecf768 /nixos/modules/services/databases | |
parent | d4d822f526f1f72a450da88bf35abe132181170f (diff) | |
download | nixlib-5c898bec57e89cd4ceaf8d18140773fdba2447c8.tar nixlib-5c898bec57e89cd4ceaf8d18140773fdba2447c8.tar.gz nixlib-5c898bec57e89cd4ceaf8d18140773fdba2447c8.tar.bz2 nixlib-5c898bec57e89cd4ceaf8d18140773fdba2447c8.tar.lz nixlib-5c898bec57e89cd4ceaf8d18140773fdba2447c8.tar.xz nixlib-5c898bec57e89cd4ceaf8d18140773fdba2447c8.tar.zst nixlib-5c898bec57e89cd4ceaf8d18140773fdba2447c8.zip |
nixos/redis: loosen systemd address family restrictions
Do not assume that port and unixSocket are the only options that affect address families used by Redis. There are other options, e.g. tls-port, and also clustered setup that are not covered by the declarative configuration. Instead of trying to selectively restrict unused address families based on the configuration, limit address families to IP and Unix sockets and let users lib.mkForce a stricter sandboxing is needed. See also https://docs.redis.com/latest/rs/networking/port-configurations/
Diffstat (limited to 'nixos/modules/services/databases')
-rw-r--r-- | nixos/modules/services/databases/redis.nix | 4 |
1 files changed, 1 insertions, 3 deletions
diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix index 1464f4487e39..e2363ec3bc0e 100644 --- a/nixos/modules/services/databases/redis.nix +++ b/nixos/modules/services/databases/redis.nix @@ -393,9 +393,7 @@ in { ProtectKernelModules = true; ProtectKernelTunables = true; ProtectControlGroups = true; - RestrictAddressFamilies = - optionals (conf.port != 0) ["AF_INET" "AF_INET6"] ++ - optional (conf.unixSocket != null) "AF_UNIX"; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; RestrictNamespaces = true; LockPersonality = true; MemoryDenyWriteExecute = true; |