diff options
author | aszlig <aszlig@redmoonstudios.org> | 2016-04-12 06:26:39 +0200 |
---|---|---|
committer | aszlig <aszlig@redmoonstudios.org> | 2016-04-12 06:30:05 +0200 |
commit | bb7a8197351e151d1e7918fe2c54de705fa65cc8 (patch) | |
tree | 9804223fe6b83a1bcd284a5aac2e29aad15e233a /nixos/modules/services/misc/taskserver | |
parent | dd0d64afea9f184e4408016ed1413e2284cc67a2 (diff) | |
download | nixlib-bb7a8197351e151d1e7918fe2c54de705fa65cc8.tar nixlib-bb7a8197351e151d1e7918fe2c54de705fa65cc8.tar.gz nixlib-bb7a8197351e151d1e7918fe2c54de705fa65cc8.tar.bz2 nixlib-bb7a8197351e151d1e7918fe2c54de705fa65cc8.tar.lz nixlib-bb7a8197351e151d1e7918fe2c54de705fa65cc8.tar.xz nixlib-bb7a8197351e151d1e7918fe2c54de705fa65cc8.tar.zst nixlib-bb7a8197351e151d1e7918fe2c54de705fa65cc8.zip |
nixos/taskserver: Set up service namespaces
The Taskserver doesn't need access to the full /dev nor does it need a shared /tmp. In addition, the initialisation services don't need network access, so let's constrain them to the loopback device. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Diffstat (limited to 'nixos/modules/services/misc/taskserver')
-rw-r--r-- | nixos/modules/services/misc/taskserver/default.nix | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/nixos/modules/services/misc/taskserver/default.nix b/nixos/modules/services/misc/taskserver/default.nix index 8054dbe9f662..e0e94dac48f1 100644 --- a/nixos/modules/services/misc/taskserver/default.nix +++ b/nixos/modules/services/misc/taskserver/default.nix @@ -417,6 +417,9 @@ in { serviceConfig.User = cfg.user; serviceConfig.Group = cfg.group; serviceConfig.PermissionsStartOnly = true; + serviceConfig.PrivateNetwork = true; + serviceConfig.PrivateDevices = true; + serviceConfig.PrivateTmp = true; }; systemd.services.taskserver = { @@ -437,6 +440,8 @@ in { ExecStart = "@${taskd} taskd server"; ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID"; PermissionsStartOnly = true; + PrivateTmp = true; + PrivateDevices = true; User = cfg.user; Group = cfg.group; }; @@ -450,6 +455,8 @@ in { description = "Initialize CA for TaskServer"; serviceConfig.Type = "oneshot"; serviceConfig.UMask = "0077"; + serviceConfig.PrivateNetwork = true; + serviceConfig.PrivateTmp = true; script = '' silent_certtool() { |