jolheiser/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

nixos/taskserver: Set up service namespaces

Browse Source 
The Taskserver doesn't need access to the full /dev nor does it need a
shared /tmp. In addition, the initialisation services don't need network
access, so let's constrain them to the loopback device.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This commit is contained in:
aszlig 2016-04-12 06:26:39 +02:00
parent dd0d64afea
commit bb7a819735
No known key found for this signature in database
GPG Key ID: D0EBD0EC8C2DC961
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
nixos/modules/services/misc/taskserver/default.nix
View File

@ -417,6 +417,9 @@ in {
serviceConfig.User = cfg.user; serviceConfig.User = cfg.user;
serviceConfig.Group = cfg.group; serviceConfig.Group = cfg.group;
serviceConfig.PermissionsStartOnly = true; serviceConfig.PermissionsStartOnly = true;
serviceConfig.PrivateNetwork = true;
serviceConfig.PrivateDevices = true;
serviceConfig.PrivateTmp = true;
}; };
systemd.services.taskserver = { systemd.services.taskserver = {
@ -437,6 +440,8 @@ in {
ExecStart = "@${taskd} taskd server"; ExecStart = "@${taskd} taskd server";
ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID"; ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID";
PermissionsStartOnly = true; PermissionsStartOnly = true;
PrivateTmp = true;
PrivateDevices = true;
User = cfg.user; User = cfg.user;
Group = cfg.group; Group = cfg.group;
}; };
@ -450,6 +455,8 @@ in {
description = "Initialize CA for TaskServer"; description = "Initialize CA for TaskServer";
serviceConfig.Type = "oneshot"; serviceConfig.Type = "oneshot";
serviceConfig.UMask = "0077"; serviceConfig.UMask = "0077";
serviceConfig.PrivateNetwork = true;
serviceConfig.PrivateTmp = true;
script = '' script = ''
silent_certtool() { silent_certtool() {