dev/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

nixos/meme-bingo-web: fixed documentation, service description and did further hardening

Browse Source
This commit is contained in:
Anna Aurora 2023-10-10 18:46:52 +02:00
parent 34db15c1fd
commit dfd120537d
No known key found for this signature in database
GPG Key ID: 28364F6BBA0F1FFC
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
nixos/modules/services/web-apps/meme-bingo-web.nix
View File

@ -17,7 +17,7 @@ in {
baseUrl = mkOption {
description = ''
URL to be used for the HTML <base> element on all HTML routes.
URL to be used for the HTML \<base\> element on all HTML routes.
'';
type = types.str;
default = "http://localhost:41678/";
@ -36,7 +36,7 @@ in {
config = mkIf cfg.enable {
systemd.services.meme-bingo-web = {
description = "A web app for playing meme bingos.";
description = "A web app for playing meme bingos";
wantedBy = [ "multi-user.target" ];
environment = {
@ -59,6 +59,7 @@ in {
# Hardening
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "/dev/random" ];
InaccessiblePaths = [ "/dev/shm" "/sys" ];
LockPersonality = true;
PrivateDevices = true;
PrivateUsers = true;
@ -73,6 +74,7 @@ in {
ProtectKernelTunables = true;
ProtectProc = "invisible";
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictFilesystems = [ "@basic-api" "~sysfs" ];
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";