diff options
Diffstat (limited to 'nixpkgs/nixos/modules/services/misc/gitea.nix')
| -rw-r--r-- | nixpkgs/nixos/modules/services/misc/gitea.nix | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/nixpkgs/nixos/modules/services/misc/gitea.nix b/nixpkgs/nixos/modules/services/misc/gitea.nix index 4992b13c9d4a..258476dd9feb 100644 --- a/nixpkgs/nixos/modules/services/misc/gitea.nix +++ b/nixpkgs/nixos/modules/services/misc/gitea.nix @@ -394,6 +394,26 @@ in WorkingDirectory = cfg.stateDir; ExecStart = "${gitea.bin}/bin/gitea web"; Restart = "always"; + + # Filesystem + ProtectHome = true; + PrivateDevices = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + ReadWritePaths = cfg.stateDir; + # Caps + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + # Misc. + LockPersonality = true; + RestrictRealtime = true; + PrivateMounts = true; + PrivateUsers = true; + MemoryDenyWriteExecute = true; + SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @setuid @swap"; + SystemCallArchitectures = "native"; + RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; }; environment = { @@ -409,6 +429,7 @@ in home = cfg.stateDir; useDefaultShell = true; group = "gitea"; + isSystemUser = true; }; }; @@ -452,4 +473,5 @@ in timerConfig.OnCalendar = cfg.dump.interval; }; }; + meta.maintainers = with lib.maintainers; [ srhb ]; } |