torjus/nixos-servers
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Alertonotify hardening part 3
Some checks failed
Run nix flake check / flake-check (push) Failing after 10m10s
Details
Periodic flake update / flake-update (push) Successful in 4m12s
Details

Browse Source
This commit is contained in:
Torjus Håkestad
2025-05-18 15:24:58 +02:00
parent 16042b08c0
commit 78efb084ec
1 changed files with 11 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
services/monitoring/alerttonotify.nix
View File

@@ -19,19 +19,25 @@
serviceConfig = { serviceConfig = {
Type = "exec"; Type = "exec";
ExecStart = "${pkgs.alerttonotify}/bin/alerttonotify"; ExecStart = "${pkgs.alerttonotify}/bin/alerttonotify";
DynamicUser = "yes";
CapabilityBoundingSet = ""; CapabilityBoundingSet = "";
RestrictAddressFamilies = "AF_INET AF_INET6"; DynamicUser = "yes";
SystemCallArchitectures = "native"; LoadCredential = "nats_nkey:/run/secrets/nats_nkey";
LockPersonality = "yes"; LockPersonality = "yes";
MemoryDenyWriteExecute = "yes"; MemoryDenyWriteExecute = "yes";
PrivateDevices = "yes"; PrivateDevices = "yes";
PrivateUsers = "yes"; PrivateUsers = "yes";
ProtectClock = "yes";
ProtectControlGroups = "yes"; ProtectControlGroups = "yes";
ProtectHome = "yes"; ProtectHome = "yes";
ProtectHostname = "yes"; ProtectHostname = "yes";
RestrictNamespace = "yes"; ProtectKernelLogs = "yes";
LoadCredential = "nats_nkey:/run/secrets/nats_nkey"; ProtectKernelModules = "yes";
RestrictAddressFamilies = "AF_INET AF_INET6";
RestrictNamespaces = "yes";
RestrictRealtime = "yes";
SystemCallArchitectures = "native";
SystemCallFilter = "~@privileged";
}; };
}; };
} }