Loading nixos/modules/services/misc/redmine.nix +24 −0 Original line number Diff line number Diff line Loading @@ -436,6 +436,30 @@ in TimeoutSec = "300"; WorkingDirectory = "${cfg.package}/share/redmine"; ExecStart="${bundle} exec rails server -u webrick -e production -b ${toString cfg.address} -p ${toString cfg.port} -P '${cfg.stateDir}/redmine.pid'"; AmbientCapabilities = ""; CapabilityBoundingSet = ""; LockPersonality = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; PrivateDevices = true; PrivateTmp = true; ProcSubset = "pid"; ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "noaccess"; ProtectSystem = "full"; RemoveIPC = true; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; UMask = 027; }; }; Loading Loading
nixos/modules/services/misc/redmine.nix +24 −0 Original line number Diff line number Diff line Loading @@ -436,6 +436,30 @@ in TimeoutSec = "300"; WorkingDirectory = "${cfg.package}/share/redmine"; ExecStart="${bundle} exec rails server -u webrick -e production -b ${toString cfg.address} -p ${toString cfg.port} -P '${cfg.stateDir}/redmine.pid'"; AmbientCapabilities = ""; CapabilityBoundingSet = ""; LockPersonality = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; PrivateDevices = true; PrivateTmp = true; ProcSubset = "pid"; ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "noaccess"; ProtectSystem = "full"; RemoveIPC = true; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; UMask = 027; }; }; Loading
