servo: slskd: harden (partially)
This commit is contained in:
@@ -70,12 +70,20 @@
|
||||
# flags.volatile = true; # store searches and active transfers in RAM (completed transfers still go to disk). rec for btrfs/zfs
|
||||
};
|
||||
|
||||
systemd.services.slskd.serviceConfig = {
|
||||
systemd.services.slskd = {
|
||||
# run this behind the OVPN static VPN
|
||||
NetworkNamespacePath = "/run/netns/ovpns";
|
||||
ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ]; # abort if public IP is not as expected
|
||||
serviceConfig.NetworkNamespacePath = "/run/netns/ovpns";
|
||||
serviceConfig.ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ]; # abort if public IP is not as expected
|
||||
|
||||
Restart = lib.mkForce "always"; # exits "success" when it fails to connect to soulseek server
|
||||
RestartSec = "60s";
|
||||
serviceConfig.Restart = lib.mkForce "always"; # exits "success" when it fails to connect to soulseek server
|
||||
serviceConfig.RestartSec = "60s";
|
||||
|
||||
# hardening (systemd-analyze security slskd)
|
||||
# upstream specifies moderate defaults; these are supplementary
|
||||
# serviceConfig.MemoryDenyWriteExecute = true;
|
||||
serviceConfig.ProcSubset = "pid";
|
||||
serviceConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
|
||||
serviceConfig.SystemCallArchitectures = "native";
|
||||
# serviceConfig.SystemCallFilter = [ "@system-service" ];
|
||||
};
|
||||
}
|
||||
|
Reference in New Issue
Block a user