Loading nixos/modules/services/misc/flaresolverr.nix +64 −0 Original line number Diff line number Diff line Loading @@ -46,13 +46,77 @@ in RestartSec = 5; Type = "simple"; DynamicUser = true; UMask = "0077"; RuntimeDirectory = "flaresolverr"; WorkingDirectory = "/run/flaresolverr"; ExecStart = lib.getExe cfg.package; TimeoutStopSec = 30; # Systemd hardening LockPersonality = true; PrivateDevices = true; PrivateMounts = true; PrivateUsers = true; ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "invisible"; RestrictRealtime = true; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; RestrictNamespaces = [ "net" "pid" "user" ]; CapabilityBoundingSet = [ "~CAP_BLOCK_SUSPEND" "~CAP_BPF" "~CAP_CHOWN" "~CAP_IPC_LOCK" "~CAP_MKNOD" "~CAP_NET_ADMIN" "~CAP_NET_RAW" "~CAP_PERFMON" "~CAP_SYSLOG" "~CAP_SYS_ADMIN" "~CAP_SYS_BOOT" "~CAP_SYS_MODULE" "~CAP_SYS_PACCT" "~CAP_SYS_PTRACE" "~CAP_SYS_TIME" "~CAP_WAKE_ALARM" ]; SystemCallFilter = [ "~@chown" "~@clock" "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@module" "~@obsolete" "~@pkey" "~@raw-io" "~@reboot" "~@setuid" "~@swap" "~@timer" ]; SystemCallErrorNumber = "EPERM"; SystemCallArchitectures = "native"; }; }; networking.firewall = lib.mkIf cfg.openFirewall { allowedTCPPorts = [ cfg.port ]; }; }; meta.maintainers = with lib.maintainers; [ diogotcorreia ]; } nixos/tests/flaresolverr.nix +1 −1 Original line number Diff line number Diff line { lib, ... }: { name = "flaresolverr"; meta.maintainers = [ ]; meta.maintainers = with lib.maintainers; [ diogotcorreia ]; nodes.machine = { pkgs, ... }: Loading pkgs/by-name/fl/flaresolverr/package.nix +1 −1 Original line number Diff line number Diff line Loading @@ -71,7 +71,7 @@ stdenv.mkDerivation (finalAttrs: { changelog = "https://github.com/FlareSolverr/FlareSolverr/blob/${finalAttrs.src.rev}/CHANGELOG.md"; license = lib.licenses.mit; mainProgram = "flaresolverr"; maintainers = [ ]; maintainers = with lib.maintainers; [ diogotcorreia ]; inherit (undetected-chromedriver.meta) platforms; }; }) Loading
nixos/modules/services/misc/flaresolverr.nix +64 −0 Original line number Diff line number Diff line Loading @@ -46,13 +46,77 @@ in RestartSec = 5; Type = "simple"; DynamicUser = true; UMask = "0077"; RuntimeDirectory = "flaresolverr"; WorkingDirectory = "/run/flaresolverr"; ExecStart = lib.getExe cfg.package; TimeoutStopSec = 30; # Systemd hardening LockPersonality = true; PrivateDevices = true; PrivateMounts = true; PrivateUsers = true; ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "invisible"; RestrictRealtime = true; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; RestrictNamespaces = [ "net" "pid" "user" ]; CapabilityBoundingSet = [ "~CAP_BLOCK_SUSPEND" "~CAP_BPF" "~CAP_CHOWN" "~CAP_IPC_LOCK" "~CAP_MKNOD" "~CAP_NET_ADMIN" "~CAP_NET_RAW" "~CAP_PERFMON" "~CAP_SYSLOG" "~CAP_SYS_ADMIN" "~CAP_SYS_BOOT" "~CAP_SYS_MODULE" "~CAP_SYS_PACCT" "~CAP_SYS_PTRACE" "~CAP_SYS_TIME" "~CAP_WAKE_ALARM" ]; SystemCallFilter = [ "~@chown" "~@clock" "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@module" "~@obsolete" "~@pkey" "~@raw-io" "~@reboot" "~@setuid" "~@swap" "~@timer" ]; SystemCallErrorNumber = "EPERM"; SystemCallArchitectures = "native"; }; }; networking.firewall = lib.mkIf cfg.openFirewall { allowedTCPPorts = [ cfg.port ]; }; }; meta.maintainers = with lib.maintainers; [ diogotcorreia ]; }
nixos/tests/flaresolverr.nix +1 −1 Original line number Diff line number Diff line { lib, ... }: { name = "flaresolverr"; meta.maintainers = [ ]; meta.maintainers = with lib.maintainers; [ diogotcorreia ]; nodes.machine = { pkgs, ... }: Loading
pkgs/by-name/fl/flaresolverr/package.nix +1 −1 Original line number Diff line number Diff line Loading @@ -71,7 +71,7 @@ stdenv.mkDerivation (finalAttrs: { changelog = "https://github.com/FlareSolverr/FlareSolverr/blob/${finalAttrs.src.rev}/CHANGELOG.md"; license = lib.licenses.mit; mainProgram = "flaresolverr"; maintainers = [ ]; maintainers = with lib.maintainers; [ diogotcorreia ]; inherit (undetected-chromedriver.meta) platforms; }; })
