pyrox.dev
lol
nixos/pgadmin: Apply hardening options (#441052)
+27
+27
nixos/modules/services/admin/pgadmin.nix
+27
nixos/modules/services/admin/pgadmin.nix
···
228
228
"initial_password:${cfg.initialPasswordFile}"
229
229
]
230
230
++ lib.optional cfg.emailServer.enable "email_password:${cfg.emailServer.passwordFile}";
231
+
AmbientCapabilities = "";
232
+
CapabilityBoundingSet = "";
233
+
LockPersonality = true;
234
+
MemoryDenyWriteExecute = true;
235
+
NoNewPrivileges = true;
236
+
PrivateDevices = true;
237
+
PrivateMounts = true;
238
+
PrivateTmp = true;
239
+
ProtectClock = true;
240
+
ProtectControlGroups = true;
241
+
ProtectHome = true;
242
+
ProtectHostname = true;
243
+
ProtectKernelLogs = true;
244
+
ProtectKernelModules = true;
245
+
ProtectKernelTunables = true;
246
+
ProtectSystem = "full";
247
+
RemoveIPC = true;
248
+
RestrictAddressFamilies = [
249
+
"AF_UNIX"
250
+
"AF_INET"
251
+
"AF_INET6"
252
+
];
253
+
RestrictNamespaces = true;
254
+
RestrictRealtime = true;
255
+
RestrictSUIDSGID = true;
256
+
SystemCallArchitectures = "native";
257
+
UMask = 27;
231
258
};
232
259
};
233
260