services.meilisearch: restrict write paths and add hardening option RemoveIPC

pyrox.dev / nixpkgs

fork atom

lol

fork atom

6543 5 months ago fcf00a6c 63ac62c2

+9 -1

1 changed file

expand all

unified split

nixos

modules

services

meilisearch.nix

+9 -1

nixos/modules/services/search/meilisearch.nix

··· 223 223 ); 224 224 225 225 serviceConfig = { 226 + Type = "simple"; 227 + DynamicUser = true; 228 + Restart = "always"; 226 229 LoadCredential = lib.mkMerge ( 227 230 [ 228 231 (lib.mkIf (cfg.masterKeyFile != null) [ "master_key:${cfg.masterKeyFile}" ]) ··· 232 235 ) secrets-with-path 233 236 ); 234 237 ExecStart = "${lib.getExe cfg.package} --config-file-path \${RUNTIME_DIRECTORY}/config.toml"; 235 - DynamicUser = true; 236 238 StateDirectory = "meilisearch"; 237 239 WorkingDirectory = "%S/meilisearch"; 238 240 RuntimeDirectory = "meilisearch"; 239 241 RuntimeDirectoryMode = "0700"; 242 + ReadWritePaths = [ 243 + cfg.settings.db_path 244 + cfg.settings.dump_dir 245 + cfg.settings.snapshot_dir 246 + ]; 240 247 241 248 ProtectSystem = "strict"; 242 249 ProtectHome = true; ··· 255 262 RestrictSUIDSGID = true; 256 263 LockPersonality = true; 257 264 MemoryDenyWriteExecute = true; 265 + RemoveIPC = true; 258 266 259 267 # Meilisearch needs to determine cgroup memory limits to set its own memory limits. 260 268 # This means this can't be set to "pid"