gador/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/pgadmin: Apply hardening options

Browse Source 
Signed-off-by: Felix Singer <felixsinger@posteo.net>
This commit is contained in:
Felix Singer
2025-09-07 23:48:56 +02:00
parent ecb4f79d82
commit 35693b3279
1 changed files with 27 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
nixos/modules/services/admin/pgadmin.nix
View File

@@ -228,6 +228,33 @@ in
"initial_password:${cfg.initialPasswordFile}" "initial_password:${cfg.initialPasswordFile}"
] ]
++ lib.optional cfg.emailServer.enable "email_password:${cfg.emailServer.passwordFile}"; ++ lib.optional cfg.emailServer.enable "email_password:${cfg.emailServer.passwordFile}";
AmbientCapabilities = "";
CapabilityBoundingSet = "";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "full";
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_UNIX"
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
UMask = 27;
}; };
}; };