Loading nixos/modules/services/web-apps/gerrit.nix +21 −0 Original line number Diff line number Diff line Loading @@ -222,6 +222,27 @@ in StandardOutput = "journal"; StateDirectory = "gerrit"; WorkingDirectory = "%S/gerrit"; AmbientCapabilities = ""; CapabilityBoundingSet = ""; LockPersonality = true; NoNewPrivileges = true; PrivateDevices = true; PrivateTmp = true; ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "noaccess"; ProtectSystem = "full"; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; UMask = 027; }; }; }; Loading Loading
nixos/modules/services/web-apps/gerrit.nix +21 −0 Original line number Diff line number Diff line Loading @@ -222,6 +222,27 @@ in StandardOutput = "journal"; StateDirectory = "gerrit"; WorkingDirectory = "%S/gerrit"; AmbientCapabilities = ""; CapabilityBoundingSet = ""; LockPersonality = true; NoNewPrivileges = true; PrivateDevices = true; PrivateTmp = true; ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "noaccess"; ProtectSystem = "full"; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; UMask = 027; }; }; }; Loading
