daniel/dotfiles
1
0
Fork 0
Code Actions Activity

weewx: harden systemd service

Browse source
This commit is contained in:
Daniel Kempkens 2024-07-03 21:24:35 +02:00
parent a27dd3c3dd
commit 3c3dd10fca
Signed by: daniel
SSH key fingerprint: SHA256:Ks/MyhQYcPRQiwMKLAKquWCdCPe3JXlb1WttgnAoSeM
2 changed files with 22 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
flake.nix
View file

@ -170,6 +170,7 @@
perSystem = { config, pkgs, inputs', ... }: { perSystem = { config, pkgs, inputs', ... }: {
treefmt = { treefmt = {
package = pkgs.treefmt1;
inherit (config.flake-root) projectRootFile; inherit (config.flake-root) projectRootFile;
programs = { programs = {

21
system/nixos/weewx.nix
View file

@ -41,6 +41,27 @@ in
Group = "weewx"; Group = "weewx";
ExecStart = "${pkg}/bin/weewxd --config=${config.age.secrets.weewx-config.path}"; ExecStart = "${pkg}/bin/weewxd --config=${config.age.secrets.weewx-config.path}";
ExecStopPost = "-!${lib.getExe pkgs.umount} ${home}/weewx-data"; ExecStopPost = "-!${lib.getExe pkgs.umount} ${home}/weewx-data";
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
LockPersonality = true;
PrivateDevices = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
}; };
}; };