mirror of
https://github.com/blahai/nyx.git
synced 2025-02-24 17:48:49 -05:00
36 lines
864 B
Nix
36 lines
864 B
Nix
|
let
|
||
|
|
# this is a forced SSL template for Nginx
|
||
|
|
# returns the attribute set with our desired settings
|
||
|
|
systemd = {
|
||
|
|
LockPersonality = true;
|
||
|
|
MemoryDenyWriteExecute = true;
|
||
|
|
NoNewPrivileges = true;
|
||
|
|
PrivateDevices = true;
|
||
|
|
PrivateIPC = true;
|
||
|
|
PrivateTmp = true;
|
||
|
|
PrivateUsers = true;
|
||
|
|
ProtectClock = true;
|
||
|
|
ProtectControlGroups = true;
|
||
|
|
ProtectHome = true;
|
||
|
|
ProtectHostname = true;
|
||
|
|
ProtectKernelLogs = true;
|
||
|
|
ProtectKernelModules = true;
|
||
|
|
ProtectKernelTunables = true;
|
||
|
|
ProtectProc = "invisible";
|
||
|
|
ProtectSystem = "strict";
|
||
|
|
RestrictNamespaces = "uts ipc pid user cgroup";
|
||
|
|
RestrictRealtime = true;
|
||
|
|
RestrictSUIDSGID = true;
|
||
|
|
SystemCallArchitectures = "native";
|
||
|
|
SystemCallFilter = ["@system-service"];
|
||
|
|
UMask = "0077";
|
||
|
|
};
|
||
|
|
|
||
|
|
xdg = import ./xdg.nix;
|
||
|
|
in {
|
||
|
|
inherit
|
||
|
|
systemd
|
||
|
|
xdg
|
||
|
|
;
|
||
|
|
}
|