nydragon/nix-da
1
Fork 0
Code Issues Pull requests Activity Actions 1

feat: harden nysh

Browse source
This commit is contained in:
Nydragon 2024-10-30 22:52:14 +01:00
parent d6c16ee186
commit 805ed8e3b9
Signed by: nydragon
SSH key fingerprint: SHA256:WcjW5NJPQ8Dx4uQDmoIlVPLWE27Od3fxoe0IUvuoPHE
1 changed files with 10 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
options/services/nysh.nix
View file

@ -24,15 +24,21 @@ in
"multi-user.target" "multi-user.target"
"graphical-session.target" "graphical-session.target"
]; ];
partOf = [ "graphical-session.target" ];
after = [ "graphical-session-pre.target" ];
unitConfig = {
After = [ "graphical-session-pre.target" ];
PartOf = [ "graphical-session.target" ];
};
serviceConfig = { serviceConfig = {
Type = "simple"; Type = "simple";
ExecStart = "/bin/sh -lc ${cfg.package}/bin/nysh"; ExecStart = "/bin/sh -lc ${cfg.package}/bin/nysh";
Restart = "on-failure"; Restart = "on-failure";
NoNewPrivileges = true;
PrivateMounts = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectProc = true;
PrivateTmp = true;
IPAddressDeny = "any";
}; };
}; };
}; };