mirrors/nixpkgs
1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-23 22:20:51 +00:00
Code Issues Wiki Activity

nixos/mastodon: remove duplicates SystemCallFilters

Browse source
This commit is contained in:
Izorkin 2021-05-12 11:28:40 +03:00 committed by Kerstin
parent 943f15d4b7
commit 700ea62f54
1 changed files with 6 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
nixos/modules/services/web-apps/mastodon.nix
View file

@ -38,7 +38,7 @@ let
// (if cfg.smtp.authenticate then { SMTP_LOGIN = cfg.smtp.user; } else {})
// cfg.extraConfig;
systemCallsList = [ "@clock" "@cpu-emulation" "@debug" "@keyring" "@module" "@mount" "@obsolete" "@raw-io" "@reboot" "@setuid" "@swap" ];
systemCallsList = [ "@cpu-emulation" "@debug" "@keyring" "@mount" "@obsolete" "@privileged" "@setuid" ];
cfgService = {
# User and group
@ -468,7 +468,7 @@ in {
Type = "oneshot";
WorkingDirectory = cfg.package;
# System Call Filtering
SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ]);
SystemCallFilter = [ ("~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ])) "@chown" ];
} // cfgService;
after = [ "network.target" ];
@ -495,7 +495,7 @@ in {
EnvironmentFile = "/var/lib/mastodon/.secrets_env";
WorkingDirectory = cfg.package;
# System Call Filtering
SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ]);
SystemCallFilter = [ ("~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ])) "@chown" ];
} // cfgService;
after = [ "mastodon-init-dirs.service" "network.target" ] ++ (if databaseActuallyCreateLocally then [ "postgresql.service" ] else []);
wantedBy = [ "multi-user.target" ];
@ -521,7 +521,7 @@ in {
RuntimeDirectory = "mastodon-streaming";
RuntimeDirectoryMode = "0750";
# System Call Filtering
SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ [ "@privileged" "@resources" ]);
SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ]);
} // cfgService;
};
@ -545,7 +545,7 @@ in {
RuntimeDirectory = "mastodon-web";
RuntimeDirectoryMode = "0750";
# System Call Filtering
SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ]);
SystemCallFilter = [ ("~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ])) "@chown" ];
} // cfgService;
path = with pkgs; [ file imagemagick ffmpeg ];
};
@ -567,7 +567,7 @@ in {
EnvironmentFile = "/var/lib/mastodon/.secrets_env";
WorkingDirectory = cfg.package;
# System Call Filtering
SystemCallFilter = "~" + lib.concatStringsSep " " systemCallsList;
SystemCallFilter = [ ("~" + lib.concatStringsSep " " systemCallsList) "@chown" ];
} // cfgService;
path = with pkgs; [ file imagemagick ffmpeg ];
};