colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

servo: slskd: harden (partially)

Browse Source
This commit is contained in:
Colin
2024-07-29 01:23:24 +00:00
parent dc053149d0
commit 90df178c35
1 changed files with 13 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
hosts/by-name/servo/services/slskd.nix
View File

@@ -70,12 +70,20 @@
# flags.volatile = true; # store searches and active transfers in RAM (completed transfers still go to disk). rec for btrfs/zfs # flags.volatile = true; # store searches and active transfers in RAM (completed transfers still go to disk). rec for btrfs/zfs
}; };
systemd.services.slskd.serviceConfig = { systemd.services.slskd = {
# run this behind the OVPN static VPN # run this behind the OVPN static VPN
NetworkNamespacePath = "/run/netns/ovpns"; serviceConfig.NetworkNamespacePath = "/run/netns/ovpns";
ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ]; # abort if public IP is not as expected serviceConfig.ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ]; # abort if public IP is not as expected
Restart = lib.mkForce "always"; # exits "success" when it fails to connect to soulseek server serviceConfig.Restart = lib.mkForce "always"; # exits "success" when it fails to connect to soulseek server
RestartSec = "60s"; serviceConfig.RestartSec = "60s";
# hardening (systemd-analyze security slskd)
# upstream specifies moderate defaults; these are supplementary
# serviceConfig.MemoryDenyWriteExecute = true;
serviceConfig.ProcSubset = "pid";
serviceConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
serviceConfig.SystemCallArchitectures = "native";
# serviceConfig.SystemCallFilter = [ "@system-service" ];
}; };
} }