tjh.dev
nixpkgs mirror (for testing)
github.com/NixOS/nixpkgs
nix
nixos/open-webui: add additional systemd hardening (#377884)
authored by
Adam C. Stephens
and committed by
GitHub
4ee53e65
98a58ea4
+12
+12
nixos/modules/services/misc/open-webui.nix
+12
nixos/modules/services/misc/open-webui.nix
···
120
120
RestrictRealtime = true;
121
121
SystemCallArchitectures = "native";
122
122
UMask = "0077";
123
+
CapabilityBoundingSet = "";
124
+
RestrictAddressFamilies = [
125
+
"AF_INET"
126
+
"AF_INET6"
127
+
"AF_UNIX"
128
+
];
129
+
ProtectClock = true;
130
+
ProtectProc = "invisible";
131
+
SystemCallFilter = [
132
+
"@system-service"
133
+
"~@privileged"
134
+
];
123
135
};
124
136
};
125
137