colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

rsync-net: hardcode fewer paths

Browse Source
This commit is contained in:
Colin
2024-08-03 11:38:43 +00:00
parent 04fc601c9c
commit bebf6bdaeb
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
hosts/modules/services/rsync-net/default.nix
View File

@@ -25,8 +25,8 @@ in
list of directories to upload to rsync.net. list of directories to upload to rsync.net.
note that this module does NOT add any encryption to the files (layer that yourself). note that this module does NOT add any encryption to the files (layer that yourself).
''; '';
default = [ default = lib.optionals config.sane.persist.enable [
"/nix/persist/private" config.sane.persist.stores."private".origin
]; ];
}; };
}; };
@@ -55,7 +55,7 @@ in
# hardening # hardening
serviceConfig.CapabilityBoundingSet = [ "CAP_DAC_READ_SEARCH" ]; serviceConfig.CapabilityBoundingSet = [ "CAP_DAC_READ_SEARCH" ];
serviceConfig.ReadWritePaths = builtins.map (d: "${d}/zzz-rsync-net") cfg.dirs; serviceConfig.ReadWritePaths = builtins.map (d: "${d}/zzz-rsync-net") cfg.dirs;
serviceConfig.ReadOnlyPaths = "/nix/persist/private"; serviceConfig.ReadOnlyPaths = cfg.dirs;
serviceConfig.RestrictAddressFamilies = "AF_INET AF_INET6"; serviceConfig.RestrictAddressFamilies = "AF_INET AF_INET6";
serviceConfig.LockPersonality = true; serviceConfig.LockPersonality = true;