diff options
author | Alyssa Ross <hi@alyssa.is> | 2019-05-17 10:56:54 +0000 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2019-05-17 10:56:54 +0000 |
commit | c1d22074139ab0d048a05b5e5116265d099114d6 (patch) | |
tree | 97977009422d675f8930f97c309b010481289e72 /nixpkgs/nixos/modules/services/monitoring | |
parent | 4dc8afe4fd6b18437150129e0a1ecc23c6a1c0b9 (diff) | |
parent | bc9df0f66110039e495b6debe3a6cda4a1bb0fed (diff) | |
download | nixlib-c1d22074139ab0d048a05b5e5116265d099114d6.tar nixlib-c1d22074139ab0d048a05b5e5116265d099114d6.tar.gz nixlib-c1d22074139ab0d048a05b5e5116265d099114d6.tar.bz2 nixlib-c1d22074139ab0d048a05b5e5116265d099114d6.tar.lz nixlib-c1d22074139ab0d048a05b5e5116265d099114d6.tar.xz nixlib-c1d22074139ab0d048a05b5e5116265d099114d6.tar.zst nixlib-c1d22074139ab0d048a05b5e5116265d099114d6.zip |
Merge commit 'bc9df0f66110039e495b6debe3a6cda4a1bb0fed'
Diffstat (limited to 'nixpkgs/nixos/modules/services/monitoring')
-rw-r--r-- | nixpkgs/nixos/modules/services/monitoring/vnstat.nix | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/nixpkgs/nixos/modules/services/monitoring/vnstat.nix b/nixpkgs/nixos/modules/services/monitoring/vnstat.nix index cb2f8c07edb9..e9bedb704a43 100644 --- a/nixpkgs/nixos/modules/services/monitoring/vnstat.nix +++ b/nixpkgs/nixos/modules/services/monitoring/vnstat.nix @@ -28,14 +28,29 @@ in { path = [ pkgs.coreutils ]; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - unitConfig.documentation = "man:vnstatd(1) man:vnstat(1) man:vnstat.conf(5)"; + documentation = [ + "man:vnstatd(1)" + "man:vnstat(1)" + "man:vnstat.conf(5)" + ]; preStart = "chmod 755 /var/lib/vnstat"; serviceConfig = { ExecStart = "${pkgs.vnstat}/bin/vnstatd -n"; ExecReload = "${pkgs.procps}/bin/kill -HUP $MAINPID"; - ProtectHome = true; + + # Hardening (from upstream example service) + ProtectSystem = "strict"; + StateDirectory = "vnstat"; PrivateDevices = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectKernelModules = true; PrivateTmp = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictNamespaces = true; + User = "vnstatd"; }; }; |