Commit b19c6d96 authored by Felix Singer's avatar Felix Singer
Browse files

nixos/redmine: Set ProtectSystem to `strict` 



Make the whole file system read-only except the directories related to
Redmine, like the state directory. The runtime directory is already
excluded by configuring it with the option `RuntimeDirectory`.

Signed-off-by: default avatarFelix Singer <felixsinger@posteo.net>
parent 31f095fa

nixos/modules/services/misc/redmine.nix

+4 −1
Original line number Diff line number Diff line
@@ -474,7 +474,10 @@ in 
        ProtectKernelModules = true;

        ProtectKernelTunables = true;

        ProtectProc = "noaccess";

        ProtectSystem = "full";

        ProtectSystem = "strict";

        ReadWritePaths = [

          cfg.stateDir

        ];

        RemoveIPC = true;

        RestrictAddressFamilies = [

          "AF_UNIX"