noa/nixconf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

restict namespaces and system

Browse source
This commit is contained in:
Noa Aarts 2025-03-14 10:16:48 +01:00
parent aa4af0bb2a
commit 69b61ba854
Signed by: noa
GPG key ID: 1850932741EFF672
1 changed files with 3 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

5
hosts/nuos/configuration.nix
View file

@ -189,11 +189,12 @@ in
ProcSubset = "pid"; ProcSubset = "pid";
ProtectClock = true; ProtectClock = true;
ProtectKernelLogs = true; ProtectKernelLogs = true;
ProtectSystem = true; ProtectSystem = "strict";
ProtectHostname = true;
PrivateTmp = true; PrivateTmp = true;
PrivateDevices = true; PrivateDevices = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;
RestrictNamespaces = ""; RestrictNamespaces = true;
CapabilityBoundingSet = ""; CapabilityBoundingSet = "";
EnvironmentFile = config.age.secrets."discord/disqalculate".path; EnvironmentFile = config.age.secrets."discord/disqalculate".path;
BindReadOnlyPaths = [ BindReadOnlyPaths = [