Commit 5b0ee7f9 authored by Felix Singer's avatar Felix Singer
Browse files

nixos/murmur: Set ProtectSystem to `strict` 



Make the whole file system read-only except the directories related to
Murmur, like the state or runtime directories.

Signed-off-by: default avatarFelix Singer <felixsinger@posteo.net>
parent e35a0677

nixos/modules/services/networking/murmur.nix

+4 −1
Original line number Diff line number Diff line
@@ -355,7 +355,10 @@ in 
        ProtectKernelLogs = true;

        ProtectKernelModules = true;

        ProtectKernelTunables = true;

        ProtectSystem = "full";

        ProtectSystem = "strict";

        ReadWritePaths = [

          cfg.stateDir

        ];

        RestrictAddressFamilies = [

          "AF_INET"

          "AF_INET6"