nixos/taskserver: Set up service namespaces

The Taskserver doesn't need access to the full /dev nor does it need a
shared /tmp. In addition, the initialisation services don't need network
access, so let's constrain them to the loopback device.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>

1 files changed, 7 insertions, 0 deletions

diff --git a/nixos/modules/services/misc/taskserver/default.nix b/nixos/modules/services/misc/taskserver/default.nix
index 8054dbe9f662..e0e94dac48f1 100644
--- a/nixos/modules/services/misc/taskserver/default.nix
+++ b/nixos/modules/services/misc/taskserver/default.nix
@@ -417,6 +417,9 @@ in {
         serviceConfig.User = cfg.user;
         serviceConfig.Group = cfg.group;
         serviceConfig.PermissionsStartOnly = true;
+        serviceConfig.PrivateNetwork = true;
+        serviceConfig.PrivateDevices = true;
+        serviceConfig.PrivateTmp = true;
       };
 
       systemd.services.taskserver = {
@@ -437,6 +440,8 @@ in {
           ExecStart = "@${taskd} taskd server";
           ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID";
           PermissionsStartOnly = true;
+          PrivateTmp = true;
+          PrivateDevices = true;
           User = cfg.user;
           Group = cfg.group;
         };
@@ -450,6 +455,8 @@ in {
         description = "Initialize CA for TaskServer";
         serviceConfig.Type = "oneshot";
         serviceConfig.UMask = "0077";
+        serviceConfig.PrivateNetwork = true;
+        serviceConfig.PrivateTmp = true;
 
         script = ''
           silent_certtool() {