treewide: run nixfmt 1.0.0
This commit is contained in:
Wolfgang Walther
@@ -191,50 +191,49 @@ in
|
||||
snapraid-sync = {
|
||||
description = "Synchronize the state of the SnapRAID array";
|
||||
startAt = sync.interval;
|
||||
serviceConfig =
|
||||
{
|
||||
Type = "oneshot";
|
||||
ExecStart = "${pkgs.snapraid}/bin/snapraid sync";
|
||||
Nice = 19;
|
||||
IOSchedulingPriority = 7;
|
||||
CPUSchedulingPolicy = "batch";
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
ExecStart = "${pkgs.snapraid}/bin/snapraid sync";
|
||||
Nice = 19;
|
||||
IOSchedulingPriority = 7;
|
||||
CPUSchedulingPolicy = "batch";
|
||||
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
NoNewPrivileges = true;
|
||||
PrivateTmp = true;
|
||||
ProtectClock = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
RestrictAddressFamilies = "none";
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = "@system-service";
|
||||
SystemCallErrorNumber = "EPERM";
|
||||
CapabilityBoundingSet = "CAP_DAC_OVERRIDE" + lib.optionalString cfg.touchBeforeSync " CAP_FOWNER";
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
NoNewPrivileges = true;
|
||||
PrivateTmp = true;
|
||||
ProtectClock = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
RestrictAddressFamilies = "none";
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = "@system-service";
|
||||
SystemCallErrorNumber = "EPERM";
|
||||
CapabilityBoundingSet = "CAP_DAC_OVERRIDE" + lib.optionalString cfg.touchBeforeSync " CAP_FOWNER";
|
||||
|
||||
ProtectSystem = "strict";
|
||||
ProtectHome = "read-only";
|
||||
ReadWritePaths =
|
||||
# sync requires access to directories containing content files
|
||||
# to remove them if they are stale
|
||||
let
|
||||
contentDirs = map dirOf contentFiles;
|
||||
# Multiple "split" parity files can be specified in a single
|
||||
# "parityFile", separated by a comma.
|
||||
# https://www.snapraid.it/manual#7.1
|
||||
splitParityFiles = map (s: lib.splitString "," s) parityFiles;
|
||||
in
|
||||
lib.unique (lib.attrValues dataDisks ++ splitParityFiles ++ contentDirs);
|
||||
}
|
||||
// lib.optionalAttrs touchBeforeSync {
|
||||
ExecStartPre = "${pkgs.snapraid}/bin/snapraid touch";
|
||||
};
|
||||
ProtectSystem = "strict";
|
||||
ProtectHome = "read-only";
|
||||
ReadWritePaths =
|
||||
# sync requires access to directories containing content files
|
||||
# to remove them if they are stale
|
||||
let
|
||||
contentDirs = map dirOf contentFiles;
|
||||
# Multiple "split" parity files can be specified in a single
|
||||
# "parityFile", separated by a comma.
|
||||
# https://www.snapraid.it/manual#7.1
|
||||
splitParityFiles = map (s: lib.splitString "," s) parityFiles;
|
||||
in
|
||||
lib.unique (lib.attrValues dataDisks ++ splitParityFiles ++ contentDirs);
|
||||
}
|
||||
// lib.optionalAttrs touchBeforeSync {
|
||||
ExecStartPre = "${pkgs.snapraid}/bin/snapraid touch";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
Reference in New Issue
Block a user