movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-10 19:55:41 +03:00
Code Issues Projects Releases Packages Wiki Activity

nixos/glpi-agent: add hardening

Browse source
This commit is contained in:
liberodark 2025-05-28 10:56:12 +02:00
parent 6a3349b96c
commit e673eca2be
1 changed files with 48 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

59
nixos/modules/services/monitoring/glpi-agent.nix
View file

@ -77,24 +77,61 @@ in
}
];
systemd.tmpfiles.settings."10-glpi-agent" = {
${cfg.stateDir} = {
d = {
mode = "0755";
user = "root";
group = "root";
};
};
};
systemd.services.glpi-agent = {
description = "GLPI Agent";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
ExecStart = "${lib.getExe cfg.package} --conf-file ${configFile} --vardir ${cfg.stateDir} --daemon --no-fork";
ExecStart = lib.escapeShellArgs [
"${lib.getExe cfg.package}"
"--conf-file"
"${configFile}"
"--vardir"
"${cfg.stateDir}"
"--daemon"
"--no-fork"
];
DynamicUser = true;
StateDirectory = "glpi-agent";
CapabilityBoundingSet = [ "CAP_SYS_ADMIN" ];
AmbientCapabilities = [ "CAP_SYS_ADMIN" ];
LimitCORE = 0;
LimitNOFILE = 65535;
LockPersonality = true;
MemorySwapMax = 0;
MemoryZSwapMax = 0;
PrivateTmp = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
Restart = "on-failure";
RestartSec = "10s";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
"AF_NETLINK"
];
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"@resources"
"~@privileged"
];
NoNewPrivileges = true;
UMask = "0077";
};
};
};