Loading nixos/doc/manual/release-notes/rl-2605.section.md +2 −0 Original line number Diff line number Diff line Loading @@ -202,6 +202,8 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>. - `services.slurm` now supports slurmrestd usage through the `services.slurm.rest` NixOS options. - The `services.calibre-web` systemd service has been hardened with additional sandboxing restrictions. - `services.kanidm` options for server, client and unix were moved under dedicated namespaces. For each component `enableComponent` and `componentSettings` are now `component.enable` and `component.settings`. The unix module now supports using SSH keys from Kanidm via Loading nixos/modules/services/web-apps/calibre-web.nix +39 −0 Original line number Diff line number Diff line Loading @@ -184,6 +184,45 @@ in CacheDirectory = "calibre-web"; CacheDirectoryMode = "0750"; NoNewPrivileges = true; ProtectSystem = "strict"; PrivateTmp = true; PrivateDevices = true; PrivateIPC = true; ProtectHostname = true; ProtectClock = true; ProtectKernelTunables = true; ProtectKernelLogs = true; ProtectControlGroups = true; LockPersonality = true; MemoryDenyWriteExecute = true; RestrictSUIDSGID = true; ProtectHome = true; ProtectProc = "invisible"; ProcSubset = "pid"; RestrictRealtime = true; SystemCallArchitectures = "native"; RestrictNamespaces = true; RemoveIPC = true; CapabilityBoundingSet = ""; AmbientCapabilities = ""; ProtectKernelModules = true; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ]; SystemCallFilter = [ "~@obsolete" "~@privileged" "~@raw-io" "~@resources" "~@mount" "~@debug" "~@cpu-emulation" ]; } // lib.optionalAttrs (!(lib.hasPrefix "/" cfg.dataDir)) { StateDirectory = cfg.dataDir; Loading Loading
nixos/doc/manual/release-notes/rl-2605.section.md +2 −0 Original line number Diff line number Diff line Loading @@ -202,6 +202,8 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>. - `services.slurm` now supports slurmrestd usage through the `services.slurm.rest` NixOS options. - The `services.calibre-web` systemd service has been hardened with additional sandboxing restrictions. - `services.kanidm` options for server, client and unix were moved under dedicated namespaces. For each component `enableComponent` and `componentSettings` are now `component.enable` and `component.settings`. The unix module now supports using SSH keys from Kanidm via Loading
nixos/modules/services/web-apps/calibre-web.nix +39 −0 Original line number Diff line number Diff line Loading @@ -184,6 +184,45 @@ in CacheDirectory = "calibre-web"; CacheDirectoryMode = "0750"; NoNewPrivileges = true; ProtectSystem = "strict"; PrivateTmp = true; PrivateDevices = true; PrivateIPC = true; ProtectHostname = true; ProtectClock = true; ProtectKernelTunables = true; ProtectKernelLogs = true; ProtectControlGroups = true; LockPersonality = true; MemoryDenyWriteExecute = true; RestrictSUIDSGID = true; ProtectHome = true; ProtectProc = "invisible"; ProcSubset = "pid"; RestrictRealtime = true; SystemCallArchitectures = "native"; RestrictNamespaces = true; RemoveIPC = true; CapabilityBoundingSet = ""; AmbientCapabilities = ""; ProtectKernelModules = true; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ]; SystemCallFilter = [ "~@obsolete" "~@privileged" "~@raw-io" "~@resources" "~@mount" "~@debug" "~@cpu-emulation" ]; } // lib.optionalAttrs (!(lib.hasPrefix "/" cfg.dataDir)) { StateDirectory = cfg.dataDir; Loading
