diff options
| author | Alyssa Ross <hi@alyssa.is> | 2023-06-16 06:56:35 +0000 |
|---|---|---|
| committer | Alyssa Ross <hi@alyssa.is> | 2023-06-16 06:56:35 +0000 |
| commit | 99fcaeccb89621dd492203ce1f2d551c06f228ed (patch) | |
| tree | 41cb730ae07383004789779b0f6e11cb3f4642a3 /nixpkgs/nixos/modules/services/web-apps/isso.nix | |
| parent | 59c5f5ac8682acc13bb22bc29c7cf02f7d75f01f (diff) | |
| parent | 75a5ebf473cd60148ba9aec0d219f72e5cf52519 (diff) | |
| download | nixlib-99fcaeccb89621dd492203ce1f2d551c06f228ed.tar nixlib-99fcaeccb89621dd492203ce1f2d551c06f228ed.tar.gz nixlib-99fcaeccb89621dd492203ce1f2d551c06f228ed.tar.bz2 nixlib-99fcaeccb89621dd492203ce1f2d551c06f228ed.tar.lz nixlib-99fcaeccb89621dd492203ce1f2d551c06f228ed.tar.xz nixlib-99fcaeccb89621dd492203ce1f2d551c06f228ed.tar.zst nixlib-99fcaeccb89621dd492203ce1f2d551c06f228ed.zip | |
Merge branch 'nixos-unstable' of https://github.com/NixOS/nixpkgs
Conflicts: nixpkgs/nixos/modules/config/console.nix nixpkgs/nixos/modules/services/mail/mailman.nix nixpkgs/nixos/modules/services/mail/public-inbox.nix nixpkgs/nixos/modules/services/mail/rss2email.nix nixpkgs/nixos/modules/services/networking/ssh/sshd.nix nixpkgs/pkgs/applications/networking/instant-messengers/dino/default.nix nixpkgs/pkgs/applications/networking/irc/weechat/default.nix nixpkgs/pkgs/applications/window-managers/sway/default.nix nixpkgs/pkgs/build-support/go/module.nix nixpkgs/pkgs/build-support/rust/build-rust-package/default.nix nixpkgs/pkgs/development/interpreters/python/default.nix nixpkgs/pkgs/development/node-packages/overrides.nix nixpkgs/pkgs/development/tools/b4/default.nix nixpkgs/pkgs/servers/dict/dictd-db.nix nixpkgs/pkgs/servers/mail/public-inbox/default.nix nixpkgs/pkgs/tools/security/pinentry/default.nix nixpkgs/pkgs/tools/text/unoconv/default.nix nixpkgs/pkgs/top-level/all-packages.nix
Diffstat (limited to 'nixpkgs/nixos/modules/services/web-apps/isso.nix')
| -rw-r--r-- | nixpkgs/nixos/modules/services/web-apps/isso.nix | 32 |
1 files changed, 27 insertions, 5 deletions
diff --git a/nixpkgs/nixos/modules/services/web-apps/isso.nix b/nixpkgs/nixos/modules/services/web-apps/isso.nix index 4c01781a6a2b..1a852ec352f2 100644 --- a/nixpkgs/nixos/modules/services/web-apps/isso.nix +++ b/nixpkgs/nixos/modules/services/web-apps/isso.nix @@ -11,19 +11,19 @@ in { options = { services.isso = { - enable = mkEnableOption '' + enable = mkEnableOption (lib.mdDoc '' A commenting server similar to Disqus. Note: The application's author suppose to run isso behind a reverse proxy. The embedded solution offered by NixOS is also only suitable for small installations below 20 requests per second. - ''; + ''); settings = mkOption { - description = '' - Configuration for <package>isso</package>. + description = lib.mdDoc '' + Configuration for `isso`. - See <link xlink:href="https://posativ.org/isso/docs/configuration/server/">Isso Server Configuration</link> + See [Isso Server Configuration](https://posativ.org/isso/docs/configuration/server/) for supported values. ''; @@ -63,6 +63,28 @@ in { Restart = "on-failure"; RestartSec = 1; + + # Hardening + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "" ]; + LockPersonality = true; + PrivateDevices = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; + UMask = "0077"; }; }; }; |