nixos/mastodon: update SystemCallFilters
This commit is contained in:
parent
815f6ba363
commit
8723d226b4
1 changed files with 6 additions and 6 deletions
|
@ -31,7 +31,7 @@ let
|
||||||
// (if cfg.smtp.authenticate then { SMTP_LOGIN = cfg.smtp.user; } else {})
|
// (if cfg.smtp.authenticate then { SMTP_LOGIN = cfg.smtp.user; } else {})
|
||||||
// cfg.extraConfig;
|
// cfg.extraConfig;
|
||||||
|
|
||||||
systemCallsList = [ "@clock" "@cpu-emulation" "@debug" "@keyring" "@module" "@mount" "@obsolete" "@raw-io" "@reboot" "@resources" "@setuid" "@swap" ];
|
systemCallsList = [ "@clock" "@cpu-emulation" "@debug" "@keyring" "@module" "@mount" "@obsolete" "@raw-io" "@reboot" "@setuid" "@swap" ];
|
||||||
|
|
||||||
cfgService = {
|
cfgService = {
|
||||||
# User and group
|
# User and group
|
||||||
|
@ -434,7 +434,7 @@ in {
|
||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
WorkingDirectory = cfg.package;
|
WorkingDirectory = cfg.package;
|
||||||
# System Call Filtering
|
# System Call Filtering
|
||||||
SystemCallFilter = "~" + lib.concatStringsSep " " systemCallsList;
|
SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ]);
|
||||||
} // cfgService;
|
} // cfgService;
|
||||||
|
|
||||||
after = [ "network.target" ];
|
after = [ "network.target" ];
|
||||||
|
@ -461,7 +461,7 @@ in {
|
||||||
EnvironmentFile = "/var/lib/mastodon/.secrets_env";
|
EnvironmentFile = "/var/lib/mastodon/.secrets_env";
|
||||||
WorkingDirectory = cfg.package;
|
WorkingDirectory = cfg.package;
|
||||||
# System Call Filtering
|
# System Call Filtering
|
||||||
SystemCallFilter = "~" + lib.concatStringsSep " " systemCallsList;
|
SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ]);
|
||||||
} // cfgService;
|
} // cfgService;
|
||||||
after = [ "mastodon-init-dirs.service" "network.target" ] ++ (if databaseActuallyCreateLocally then [ "postgresql.service" ] else []);
|
after = [ "mastodon-init-dirs.service" "network.target" ] ++ (if databaseActuallyCreateLocally then [ "postgresql.service" ] else []);
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
@ -487,7 +487,7 @@ in {
|
||||||
RuntimeDirectory = "mastodon-streaming";
|
RuntimeDirectory = "mastodon-streaming";
|
||||||
RuntimeDirectoryMode = "0750";
|
RuntimeDirectoryMode = "0750";
|
||||||
# System Call Filtering
|
# System Call Filtering
|
||||||
SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ [ "@privileged" ]);
|
SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ [ "@privileged" "@resources" ]);
|
||||||
} // cfgService;
|
} // cfgService;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -511,7 +511,7 @@ in {
|
||||||
RuntimeDirectory = "mastodon-web";
|
RuntimeDirectory = "mastodon-web";
|
||||||
RuntimeDirectoryMode = "0750";
|
RuntimeDirectoryMode = "0750";
|
||||||
# System Call Filtering
|
# System Call Filtering
|
||||||
SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ [ "@privileged" ]);
|
SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ]);
|
||||||
} // cfgService;
|
} // cfgService;
|
||||||
path = with pkgs; [ file imagemagick ffmpeg ];
|
path = with pkgs; [ file imagemagick ffmpeg ];
|
||||||
};
|
};
|
||||||
|
@ -532,7 +532,7 @@ in {
|
||||||
EnvironmentFile = "/var/lib/mastodon/.secrets_env";
|
EnvironmentFile = "/var/lib/mastodon/.secrets_env";
|
||||||
WorkingDirectory = cfg.package;
|
WorkingDirectory = cfg.package;
|
||||||
# System Call Filtering
|
# System Call Filtering
|
||||||
SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ [ "@privileged" ]);
|
SystemCallFilter = "~" + lib.concatStringsSep " " systemCallsList;
|
||||||
} // cfgService;
|
} // cfgService;
|
||||||
path = with pkgs; [ file imagemagick ffmpeg ];
|
path = with pkgs; [ file imagemagick ffmpeg ];
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in a new issue