torjus/nixos-servers
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Alertonotify hardening part 3
Some checks failed
Run nix flake check / flake-check (push) Failing after 10m10s
Details
Periodic flake update / flake-update (push) Successful in 4m12s
Details

Browse Source
This commit is contained in:
Torjus Håkestad 2025-05-18 15:24:58 +02:00
parent 16042b08c0
commit 78efb084ec
Signed by: torjus
SSH Key Fingerprint: SHA256:KjAds8wHfD2mBYK2H815s/+ABcSdcIHUndwHEdSxml4
1 changed files with 11 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
services/monitoring/alerttonotify.nix
View File

@ -19,19 +19,25 @@
serviceConfig = {
Type = "exec";
ExecStart = "${pkgs.alerttonotify}/bin/alerttonotify";
DynamicUser = "yes";
CapabilityBoundingSet = "";
RestrictAddressFamilies = "AF_INET AF_INET6";
SystemCallArchitectures = "native";
DynamicUser = "yes";
LoadCredential = "nats_nkey:/run/secrets/nats_nkey";
LockPersonality = "yes";
MemoryDenyWriteExecute = "yes";
PrivateDevices = "yes";
PrivateUsers = "yes";
ProtectClock = "yes";
ProtectControlGroups = "yes";
ProtectHome = "yes";
ProtectHostname = "yes";
RestrictNamespace = "yes";
LoadCredential = "nats_nkey:/run/secrets/nats_nkey";
ProtectKernelLogs = "yes";
ProtectKernelModules = "yes";
RestrictAddressFamilies = "AF_INET AF_INET6";
RestrictNamespaces = "yes";
RestrictRealtime = "yes";
SystemCallArchitectures = "native";
SystemCallFilter = "~@privileged";
};
};
}