diff options
| author | Cabia Rangris <me@cab404.ru> | 2023-10-20 09:59:21 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-10-20 09:59:21 +0000 |
| commit | 585a8b12b1ab3f5cfd7aec0b3958b754ef63bad2 (patch) | |
| tree | 3f2da3ebca71547eb129789bb1c7b1290a38c520 /nixos/modules/services/web-apps | |
| parent | 9c30003e04cdf34d54f2e3995b32558c0d5d4d7f (diff) | |
| parent | 39e1727f0f01181655f31de474f2fe13b7ce582e (diff) | |
| download | nixlib-585a8b12b1ab3f5cfd7aec0b3958b754ef63bad2.tar nixlib-585a8b12b1ab3f5cfd7aec0b3958b754ef63bad2.tar.gz nixlib-585a8b12b1ab3f5cfd7aec0b3958b754ef63bad2.tar.bz2 nixlib-585a8b12b1ab3f5cfd7aec0b3958b754ef63bad2.tar.lz nixlib-585a8b12b1ab3f5cfd7aec0b3958b754ef63bad2.tar.xz nixlib-585a8b12b1ab3f5cfd7aec0b3958b754ef63bad2.tar.zst nixlib-585a8b12b1ab3f5cfd7aec0b3958b754ef63bad2.zip | |
Merge pull request #258853 from SuperSandro2000/dex
nixos/dex: fix start with latest systemd update
Diffstat (limited to 'nixos/modules/services/web-apps')
| -rw-r--r-- | nixos/modules/services/web-apps/dex.nix | 7 |
1 files changed, 2 insertions, 5 deletions
diff --git a/nixos/modules/services/web-apps/dex.nix b/nixos/modules/services/web-apps/dex.nix index bd041db007a1..0c4a71c6dfe4 100644 --- a/nixos/modules/services/web-apps/dex.nix +++ b/nixos/modules/services/web-apps/dex.nix @@ -108,8 +108,7 @@ in ProtectClock = true; ProtectHome = true; ProtectHostname = true; - # Would re-mount paths ignored by temporary root - #ProtectSystem = "strict"; + ProtectSystem = "strict"; ProtectControlGroups = true; ProtectKernelLogs = true; ProtectKernelModules = true; @@ -121,9 +120,7 @@ in RestrictSUIDSGID = true; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~@privileged @setuid @keyring" ]; - TemporaryFileSystem = "/:ro"; - # Does not work well with the temporary root - #UMask = "0066"; + UMask = "0066"; } // optionalAttrs (cfg.environmentFile != null) { EnvironmentFile = cfg.environmentFile; }; |