Loading nixos/modules/services/web-apps/alps.nix +6 −4 Original line number Diff line number Diff line Loading @@ -98,11 +98,11 @@ in { serviceConfig = { ExecStart = "${cfg.package}/bin/alps ${escapeShellArgs cfg.args}"; AmbientCapabilities = ""; CapabilityBoundingSet = ""; DynamicUser = true; ## This is desirable but would restrict bindIP to 127.0.0.1 #IPAddressAllow = "localhost"; #IPAddressDeny = "any"; LockPersonality = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; PrivateDevices = true; PrivateIPC = true; Loading @@ -122,8 +122,10 @@ in { RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; SocketBindAllow = cfg.port; SocketBindDeny = "any"; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service @resources" "~@privileged @obsolete" ]; SystemCallFilter = [ "@system-service" "~@privileged @obsolete" ]; }; }; }; Loading nixos/tests/alps.nix +2 −1 Original line number Diff line number Diff line Loading @@ -90,7 +90,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { }; }; testScript = '' testScript = { nodes, ... }: '' server.start() server.wait_for_unit("postfix.service") server.wait_for_unit("dovecot2.service") Loading @@ -99,6 +99,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { client.start() client.wait_for_unit("alps.service") client.wait_for_open_port(${toString nodes.client.config.services.alps.port}) client.succeed("test-alps-login") ''; }) Loading
nixos/modules/services/web-apps/alps.nix +6 −4 Original line number Diff line number Diff line Loading @@ -98,11 +98,11 @@ in { serviceConfig = { ExecStart = "${cfg.package}/bin/alps ${escapeShellArgs cfg.args}"; AmbientCapabilities = ""; CapabilityBoundingSet = ""; DynamicUser = true; ## This is desirable but would restrict bindIP to 127.0.0.1 #IPAddressAllow = "localhost"; #IPAddressDeny = "any"; LockPersonality = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; PrivateDevices = true; PrivateIPC = true; Loading @@ -122,8 +122,10 @@ in { RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; SocketBindAllow = cfg.port; SocketBindDeny = "any"; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service @resources" "~@privileged @obsolete" ]; SystemCallFilter = [ "@system-service" "~@privileged @obsolete" ]; }; }; }; Loading
nixos/tests/alps.nix +2 −1 Original line number Diff line number Diff line Loading @@ -90,7 +90,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { }; }; testScript = '' testScript = { nodes, ... }: '' server.start() server.wait_for_unit("postfix.service") server.wait_for_unit("dovecot2.service") Loading @@ -99,6 +99,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { client.start() client.wait_for_unit("alps.service") client.wait_for_open_port(${toString nodes.client.config.services.alps.port}) client.succeed("test-alps-login") ''; })
