alioth/nixpkgs
3
0
Fork 0
forked from mirrors/nixpkgs
Code Releases Activity

Merge pull request from MidAutumnMoon/go-119-services-fix-2

Browse source
This commit is contained in:
Sandro 2022-10-27 00:49:35 +02:00 committed by GitHub
parent dc5fa53b83 5c983ac37b
commit b99ffef2de
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 5 additions and 5 deletions
nixos/modules/services
networking
snowflake-proxy.nixyggdrasil.nix
web-apps
dex.nixprosody-filer.nix

2
nixos/modules/services/networking/snowflake-proxy.nix
View file

@ -71,7 +71,7 @@ in
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = "~@clock @cpu-emulation @debug @mount @obsolete @reboot @swap @privileged @resources";
SystemCallFilter = [ "@system-service" "~@privileged" ];
UMask = "0077";
};
};

2
nixos/modules/services/networking/yggdrasil.nix
View file

@ -180,7 +180,7 @@ in {
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @resources";
SystemCallFilter = [ "@system-service" "~@privileged @keyring" ];
} // (if (cfg.group != null) then {
Group = cfg.group;
} else {});

4
nixos/modules/services/web-apps/dex.nix
View file

@ -58,7 +58,7 @@ in
'';
description = lib.mdDoc ''
The available options can be found in
[the example configuration](https://github.com/dexidp/dex/blob/v${pkgs.dex.version}/config.yaml.dist).
[the example configuration](https://github.com/dexidp/dex/blob/v${pkgs.dex-oidc.version}/config.yaml.dist).
It's also possible to refer to environment variables (defined in [services.dex.environmentFile](#opt-services.dex.environmentFile))
using the syntax `$VARIABLE_NAME`.
@ -119,7 +119,7 @@ in
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@privileged @resources @setuid @keyring" ];
SystemCallFilter = [ "@system-service" "~@privileged @setuid @keyring" ];
TemporaryFileSystem = "/:ro";
# Does not work well with the temporary root
#UMask = "0066";

2
nixos/modules/services/web-apps/prosody-filer.nix
View file

@ -79,7 +79,7 @@ in {
LockPersonality = true;
RemoveIPC = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
SystemCallFilter = [ "@system-service" "~@privileged" ];
};
};
};