Loading nixos/modules/services/misc/homepage-dashboard.nix +39 −1 Original line number Diff line number Diff line Loading @@ -232,12 +232,50 @@ in serviceConfig = { Type = "simple"; DynamicUser = true; EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile; StateDirectory = "homepage-dashboard"; CacheDirectory = "homepage-dashboard"; ExecStart = lib.getExe cfg.package; Restart = "on-failure"; # hardening DynamicUser = true; DevicePolicy = "closed"; CapabilityBoundingSet = ""; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ]; DeviceAllow = ""; NoNewPrivileges = true; PrivateDevices = true; PrivateMounts = true; PrivateTmp = true; PrivateUsers = true; ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectSystem = "strict"; LockPersonality = true; RemoveIPC = true; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~@resources" ]; ProtectProc = "invisible"; ProtectHostname = true; UMask = "0077"; # cpu widget requires access to /proc ProcSubset = if lib.any (widget: widget.resources.cpu or false) cfg.widgets then "all" else "pid"; }; enableStrictShellChecks = true; Loading Loading
nixos/modules/services/misc/homepage-dashboard.nix +39 −1 Original line number Diff line number Diff line Loading @@ -232,12 +232,50 @@ in serviceConfig = { Type = "simple"; DynamicUser = true; EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile; StateDirectory = "homepage-dashboard"; CacheDirectory = "homepage-dashboard"; ExecStart = lib.getExe cfg.package; Restart = "on-failure"; # hardening DynamicUser = true; DevicePolicy = "closed"; CapabilityBoundingSet = ""; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ]; DeviceAllow = ""; NoNewPrivileges = true; PrivateDevices = true; PrivateMounts = true; PrivateTmp = true; PrivateUsers = true; ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectSystem = "strict"; LockPersonality = true; RemoveIPC = true; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~@resources" ]; ProtectProc = "invisible"; ProtectHostname = true; UMask = "0077"; # cpu widget requires access to /proc ProcSubset = if lib.any (widget: widget.resources.cpu or false) cfg.widgets then "all" else "pid"; }; enableStrictShellChecks = true; Loading
