colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

rustdesk-server: use DynamicUser

Browse Source 
this was a suggestion on #272501
This commit is contained in:
Maciej Krüger 2024-01-23 20:58:21 +01:00
parent 96d1602a5f
commit 9c565e0e69
No known key found for this signature in database
GPG Key ID: 0D948CE19CF49C5F
1 changed files with 1 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
nixos/modules/services/monitoring/rustdesk-server.nix
View File

@ -35,15 +35,14 @@ in {
Slice = "system-rustdesk.slice"; Slice = "system-rustdesk.slice";
User = "rustdesk"; User = "rustdesk";
Group = "rustdesk"; Group = "rustdesk";
DynamicUser = "yes";
Environment = []; Environment = [];
WorkingDirectory = "/var/lib/rustdesk"; WorkingDirectory = "/var/lib/rustdesk";
StateDirectory = "rustdesk"; StateDirectory = "rustdesk";
StateDirectoryMode = "0750"; StateDirectoryMode = "0750";
LockPersonality = true; LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true; PrivateDevices = true;
PrivateMounts = true; PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true; PrivateUsers = true;
ProtectClock = true; ProtectClock = true;
ProtectControlGroups = true; ProtectControlGroups = true;
@ -53,10 +52,7 @@ in {
ProtectKernelModules = true; ProtectKernelModules = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;
ProtectProc = "invisible"; ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictNamespaces = true; RestrictNamespaces = true;
RestrictSUIDSGID = true;
}; };
}; };
in lib.mkIf cfg.enable { in lib.mkIf cfg.enable {