diff options
| author | Martin Milata <martin@martinmilata.cz> | 2020-02-25 00:46:21 +0100 |
|---|---|---|
| committer | Martin Milata <martin@martinmilata.cz> | 2020-02-25 01:32:31 +0100 |
| commit | 9b0a9577f78fc8fc619cd75cc87cfe8e1c39b7b9 (patch) | |
| tree | 6a765b18c6abc96613a0bc427aab5f4ed02113a8 /nixos | |
| parent | 3b27f4d9455c0b7962f22f0be2d04126984aad31 (diff) | |
| download | nixlib-9b0a9577f78fc8fc619cd75cc87cfe8e1c39b7b9.tar nixlib-9b0a9577f78fc8fc619cd75cc87cfe8e1c39b7b9.tar.gz nixlib-9b0a9577f78fc8fc619cd75cc87cfe8e1c39b7b9.tar.bz2 nixlib-9b0a9577f78fc8fc619cd75cc87cfe8e1c39b7b9.tar.lz nixlib-9b0a9577f78fc8fc619cd75cc87cfe8e1c39b7b9.tar.xz nixlib-9b0a9577f78fc8fc619cd75cc87cfe8e1c39b7b9.tar.zst nixlib-9b0a9577f78fc8fc619cd75cc87cfe8e1c39b7b9.zip | |
nixos/parsoid: enable systemd sandboxing
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/misc/parsoid.nix | 23 |
1 files changed, 22 insertions, 1 deletions
diff --git a/nixos/modules/services/misc/parsoid.nix b/nixos/modules/services/misc/parsoid.nix index 9c2afa3207ae..09b7f977bfbf 100644 --- a/nixos/modules/services/misc/parsoid.nix +++ b/nixos/modules/services/misc/parsoid.nix @@ -98,8 +98,29 @@ in wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = { - User = "nobody"; ExecStart = "${parsoid}/lib/node_modules/parsoid/bin/server.js -c ${confFile} -n ${toString cfg.workers}"; + + DynamicUser = true; + User = "parsoid"; + Group = "parsoid"; + + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + LockPersonality = true; + #MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RemoveIPC = true; }; }; |