Commit 79ab4bb4 authored by Felix Singer's avatar Felix Singer
Browse files

nixos/redmine: Enable MountAPIVFS hardening in service config 

This setting is already implied by others, but add it for completeness
as well. For documentation see
https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#MountAPIVFS=



Signed-off-by: default avatarFelix Singer <felixsinger@posteo.net>
parent 21f82706

nixos/modules/services/misc/redmine.nix

+1 −0
Original line number Diff line number Diff line
@@ -461,6 +461,7 @@ in 
        CapabilityBoundingSet = "";

        LockPersonality = true;

        MemoryDenyWriteExecute = true;

        MountAPIVFS = true;

        NoNewPrivileges = true;

        PrivateDevices = true;

        PrivateMounts = true;