pyrox.dev
nixos/ympd: Unit hardening
Next to some systemd unit hardening, the nobody user isn't used anymore,
as suggested in #55370.
authored by Alvar Penning and committed by Rick van Schijndel 63dd9fb5 a8f2090b
+39
-1
nixos/modules/services/audio/ympd.nix
+39
-1
nixos/modules/services/audio/ympd.nix
···
48
48
49
49
systemd.services.ympd = {
50
50
description = "Standalone MPD Web GUI written in C";
51
+
51
52
wantedBy = [ "multi-user.target" ];
52
-
serviceConfig.ExecStart = "${pkgs.ympd}/bin/ympd --host ${cfg.mpd.host} --port ${toString cfg.mpd.port} --webport ${toString cfg.webPort} --user nobody";
53
+
after = [ "network-online.target" ];
54
+
55
+
serviceConfig = {
56
+
ExecStart = ''
57
+
${pkgs.ympd}/bin/ympd \
58
+
--host ${cfg.mpd.host} \
59
+
--port ${toString cfg.mpd.port} \
60
+
--webport ${toString cfg.webPort}
61
+
'';
62
+
63
+
DynamicUser = true;
64
+
NoNewPrivileges = true;
65
+
66
+
ProtectProc = "invisible";
67
+
ProtectSystem = "strict";
68
+
ProtectHome = "tmpfs";
69
+
70
+
PrivateTmp = true;
71
+
PrivateDevices = true;
72
+
PrivateIPC = true;
73
+
74
+
ProtectHostname = true;
75
+
ProtectClock = true;
76
+
ProtectKernelTunables = true;
77
+
ProtectKernelModules = true;
78
+
ProtectKernelLogs = true;
79
+
ProtectControlGroups = true;
80
+
81
+
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
82
+
RestrictRealtime = true;
83
+
RestrictSUIDSGID = true;
84
+
85
+
SystemCallFilter = [
86
+
"@system-service"
87
+
"~@process"
88
+
"~@setuid"
89
+
];
90
+
};
53
91
};
54
92
55
93
};