diff options
Diffstat (limited to 'nixpkgs/nixos/modules/services/web-apps/mastodon.nix')
-rw-r--r-- | nixpkgs/nixos/modules/services/web-apps/mastodon.nix | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/nixpkgs/nixos/modules/services/web-apps/mastodon.nix b/nixpkgs/nixos/modules/services/web-apps/mastodon.nix index 661320b5d00a..5e24bd06ffdb 100644 --- a/nixpkgs/nixos/modules/services/web-apps/mastodon.nix +++ b/nixpkgs/nixos/modules/services/web-apps/mastodon.nix @@ -31,7 +31,7 @@ let // (if cfg.smtp.authenticate then { SMTP_LOGIN = cfg.smtp.user; } else {}) // cfg.extraConfig; - systemCallsList = [ "@clock" "@cpu-emulation" "@debug" "@keyring" "@module" "@mount" "@obsolete" "@raw-io" "@reboot" "@resources" "@setuid" "@swap" ]; + systemCallsList = [ "@clock" "@cpu-emulation" "@debug" "@keyring" "@module" "@mount" "@obsolete" "@raw-io" "@reboot" "@setuid" "@swap" ]; cfgService = { # User and group @@ -434,7 +434,7 @@ in { Type = "oneshot"; WorkingDirectory = cfg.package; # System Call Filtering - SystemCallFilter = "~" + lib.concatStringsSep " " systemCallsList; + SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ]); } // cfgService; after = [ "network.target" ]; @@ -448,10 +448,10 @@ in { join pg_namespace s on s.oid = c.relnamespace \ where s.nspname not in ('pg_catalog', 'pg_toast', 'information_schema') \ and s.nspname not like 'pg_temp%';" | sed -n 3p` -eq 0 ]; then - SAFETY_ASSURED=1 rake db:schema:load - rake db:seed + SAFETY_ASSURED=1 rails db:schema:load + rails db:seed else - rake db:migrate + rails db:migrate fi ''; path = [ cfg.package pkgs.postgresql ]; @@ -461,7 +461,7 @@ in { EnvironmentFile = "/var/lib/mastodon/.secrets_env"; WorkingDirectory = cfg.package; # System Call Filtering - SystemCallFilter = "~" + lib.concatStringsSep " " systemCallsList; + SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ]); } // cfgService; after = [ "mastodon-init-dirs.service" "network.target" ] ++ (if databaseActuallyCreateLocally then [ "postgresql.service" ] else []); wantedBy = [ "multi-user.target" ]; @@ -487,7 +487,7 @@ in { RuntimeDirectory = "mastodon-streaming"; RuntimeDirectoryMode = "0750"; # System Call Filtering - SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ [ "@privileged" ]); + SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ [ "@privileged" "@resources" ]); } // cfgService; }; @@ -511,7 +511,7 @@ in { RuntimeDirectory = "mastodon-web"; RuntimeDirectoryMode = "0750"; # System Call Filtering - SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ [ "@privileged" ]); + SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ]); } // cfgService; path = with pkgs; [ file imagemagick ffmpeg ]; }; @@ -532,7 +532,7 @@ in { EnvironmentFile = "/var/lib/mastodon/.secrets_env"; WorkingDirectory = cfg.package; # System Call Filtering - SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ [ "@privileged" ]); + SystemCallFilter = "~" + lib.concatStringsSep " " systemCallsList; } // cfgService; path = with pkgs; [ file imagemagick ffmpeg ]; }; |