nixos/uptime-kuma: Add additional lockdown settings to systemd unit (#361452) (a574f2b6) · Commits · nix / nixpkgs

nixos/modules/services/monitoring/uptime-kuma.nix

+19 −10

Original line number	Diff line number	Diff line
		@@ -51,21 +51,30 @@ in
		DynamicUser = true;
		ExecStart = "${cfg.package}/bin/uptime-kuma-server";
		Restart = "on-failure";
		ProtectHome = true;
		ProtectSystem = "strict";
		PrivateTmp = true;
		AmbientCapabilities = "";
		CapabilityBoundingSet = "";
		LockPersonality = true;
		MemoryDenyWriteExecute = false; # enabling it breaks execution
		NoNewPrivileges = true;
		PrivateDevices = true;
		ProtectHostname = true;
		PrivateMounts = true;
		PrivateTmp = true;
		ProtectClock = true;
		ProtectKernelTunables = true;
		ProtectKernelModules = true;
		ProtectKernelLogs = true;
		ProtectControlGroups = true;
		NoNewPrivileges = true;
		ProtectHome = true;
		ProtectHostname = true;
		ProtectKernelLogs = true;
		ProtectKernelModules = true;
		ProtectKernelTunables = true;
		ProtectProc = "noaccess";
		ProtectSystem = "strict";
		RemoveIPC = true;
		RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ];
		RestrictNamespaces = true;
		RestrictRealtime = true;
		RestrictSUIDSGID = true;
		RemoveIPC = true;
		PrivateMounts = true;
		SystemCallArchitectures = "native";
		UMask = 027;
		};
		};
		};