servo: jackett: harden
This commit is contained in:
@@ -12,13 +12,25 @@ in
|
|||||||
|
|
||||||
systemd.services.jackett.after = [ "wireguard-wg-ovpns.service" ];
|
systemd.services.jackett.after = [ "wireguard-wg-ovpns.service" ];
|
||||||
systemd.services.jackett.partOf = [ "wireguard-wg-ovpns.service" ];
|
systemd.services.jackett.partOf = [ "wireguard-wg-ovpns.service" ];
|
||||||
systemd.services.jackett.serviceConfig = {
|
systemd.services.jackett = {
|
||||||
# run this behind the OVPN static VPN
|
# run this behind the OVPN static VPN
|
||||||
NetworkNamespacePath = "/run/netns/ovpns";
|
serviceConfig.NetworkNamespacePath = "/run/netns/ovpns";
|
||||||
ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ]; # abort if public IP is not as expected
|
serviceConfig.ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ]; # abort if public IP is not as expected
|
||||||
# patch in `--ListenPublic` so that it's reachable from the netns veth.
|
# patch in `--ListenPublic` so that it's reachable from the netns veth.
|
||||||
# this also makes it reachable from the VPN pub address. oh well.
|
# this also makes it reachable from the VPN pub address. oh well.
|
||||||
ExecStart = lib.mkForce "${cfg.package}/bin/Jackett --ListenPublic --NoUpdates --DataFolder '${cfg.dataDir}'";
|
serviceConfig.ExecStart = lib.mkForce "${cfg.package}/bin/Jackett --ListenPublic --NoUpdates --DataFolder '${cfg.dataDir}'";
|
||||||
|
serviceConfig.RestartSec = "30s";
|
||||||
|
|
||||||
|
# hardening (systemd-analyze security jackett)
|
||||||
|
# TODO: upstream into nixpkgs
|
||||||
|
serviceConfig.LockPersonality = true;
|
||||||
|
serviceConfig.NoNewPrivileges = true;
|
||||||
|
# serviceConfig.MemoryDenyWriteExecute = true; #< Failed to create CoreCLR, HRESULT: 0x80004005
|
||||||
|
serviceConfig.PrivateDevices = true;
|
||||||
|
serviceConfig.PrivateMounts = true;
|
||||||
|
serviceConfig.PrivateTmp = true;
|
||||||
|
serviceConfig.PrivateUsers = true;
|
||||||
|
serviceConfig.ProcSubset = "pid";
|
||||||
};
|
};
|
||||||
|
|
||||||
# jackett torrent search
|
# jackett torrent search
|
||||||
|
Reference in New Issue
Block a user