Attempt to fix module
This commit is contained in:
parent
ed25eca79f
commit
04fd788980
SSH Key Fingerprint:
SHA256:KjAds8wHfD2mBYK2H815s/+ABcSdcIHUndwHEdSxml4
@ -5,9 +5,10 @@
|
|||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
let
|
let
|
||||||
|
cfg = config.labmon;
|
||||||
settingsFormat = pkgs.format.toml { };
|
settingsFormat = pkgs.format.toml { };
|
||||||
|
|
||||||
settingsFile = settingsFormat.generate "labmon.toml" config.labmon.settings;
|
settingsFile = settingsFormat.generate "labmon.toml" cfg.labmon.settings;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.labmon = {
|
options.labmon = {
|
||||||
@ -21,45 +22,47 @@ in
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.labmon = {
|
config = lib.mkIf cfg.enable {
|
||||||
wantedBy = [ "multi-user.target" ];
|
systemd.services.labmon = {
|
||||||
after = [ "network.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
after = [ "network.target" ];
|
||||||
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
ExecStart = "${pkgs.labmon}/bin/labmon ${settingsFile}";
|
ExecStart = "${pkgs.labmon}/bin/labmon ${settingsFile}";
|
||||||
DynamicUser = true;
|
DynamicUser = true;
|
||||||
Restart = "always";
|
Restart = "always";
|
||||||
|
|
||||||
# Hardening
|
# Hardening
|
||||||
DevicePolicy = "strict";
|
DevicePolicy = "strict";
|
||||||
LockPersonality = true;
|
LockPersonality = true;
|
||||||
MemoryDenyWriteExecute = true;
|
MemoryDenyWriteExecute = true;
|
||||||
NoNewPrivileges = true;
|
NoNewPrivileges = true;
|
||||||
PrivateDevices = true;
|
PrivateDevices = true;
|
||||||
PrivateTmp = true;
|
PrivateTmp = true;
|
||||||
PrivateUsers = true;
|
PrivateUsers = true;
|
||||||
ProtectClock = true;
|
ProtectClock = true;
|
||||||
ProtectControlGroups = true;
|
ProtectControlGroups = true;
|
||||||
ProtectHome = true;
|
ProtectHome = true;
|
||||||
ProtectHostname = true;
|
ProtectHostname = true;
|
||||||
ProtectKernelLogs = true;
|
ProtectKernelLogs = true;
|
||||||
ProtectKernelModules = true;
|
ProtectKernelModules = true;
|
||||||
ProtectKernelTunables = true;
|
ProtectKernelTunables = true;
|
||||||
ProtectProc = "invisible";
|
ProtectProc = "invisible";
|
||||||
ProtectSystem = "full";
|
ProtectSystem = "full";
|
||||||
RemoveIPC = true;
|
RemoveIPC = true;
|
||||||
RestrictAddressFamilies = [
|
RestrictAddressFamilies = [
|
||||||
"AF_INET"
|
"AF_INET"
|
||||||
"AF_INET6"
|
"AF_INET6"
|
||||||
];
|
];
|
||||||
RestrictNamespaces = true;
|
RestrictNamespaces = true;
|
||||||
RestrictRealtime = true;
|
RestrictRealtime = true;
|
||||||
RestrictSUIDSGID = true;
|
RestrictSUIDSGID = true;
|
||||||
SystemCallArchitectures = "native";
|
SystemCallArchitectures = "native";
|
||||||
SystemCallFilter = [
|
SystemCallFilter = [
|
||||||
"@system-service"
|
"@system-service"
|
||||||
"~@privileged"
|
"~@privileged"
|
||||||
];
|
];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user