gador/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/uptime-kuma: Apply more hardening settings (#449295)

Browse Source
This commit is contained in:
Luj
2025-10-08 11:13:49 +02:00
committed by GitHub
parent ed010b2d8c d06389e317
commit 01e34769af
1 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
nixos/modules/services/monitoring/uptime-kuma.nix
View File

@@ -53,6 +53,7 @@ in
serviceConfig = { serviceConfig = {
Type = "simple"; Type = "simple";
StateDirectory = "uptime-kuma"; StateDirectory = "uptime-kuma";
StateDirectoryMode = "750";
DynamicUser = true; DynamicUser = true;
ExecStart = "${cfg.package}/bin/uptime-kuma-server"; ExecStart = "${cfg.package}/bin/uptime-kuma-server";
Restart = "on-failure"; Restart = "on-failure";
@@ -60,18 +61,20 @@ in
CapabilityBoundingSet = ""; CapabilityBoundingSet = "";
LockPersonality = true; LockPersonality = true;
MemoryDenyWriteExecute = false; # enabling it breaks execution MemoryDenyWriteExecute = false; # enabling it breaks execution
MountAPIVFS = true;
NoNewPrivileges = true; NoNewPrivileges = true;
PrivateDevices = true; PrivateDevices = true;
PrivateMounts = true; PrivateMounts = true;
PrivateTmp = true; PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true; ProtectClock = true;
ProtectControlGroups = true; ProtectControlGroups = "strict";
ProtectHome = true; ProtectHome = true;
ProtectHostname = true; ProtectHostname = true;
ProtectKernelLogs = true; ProtectKernelLogs = true;
ProtectKernelModules = true; ProtectKernelModules = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;
ProtectProc = "noaccess"; ProtectProc = "invisible";
ProtectSystem = "strict"; ProtectSystem = "strict";
RemoveIPC = true; RemoveIPC = true;
RestrictAddressFamilies = [ RestrictAddressFamilies = [