Skip to content
Snippets Groups Projects
Commit cb1f37e1 authored by Florian Sesser's avatar Florian Sesser
Browse files

Add an introducing comment to restricted-service.nix

parent f62e0bea
No related branches found
No related tags found
2 merge requests!274merge develop into production,!262Miscellaneous changes
Pipeline #1863 passed
Stage: build
Stage: test
Hide whitespace changes
Inline Side-by-side
nixos/modules/restricted-service.nix
+ 8
1
View file @ cb1f37e1
# Provide secure defaults for systemd services
#
# Good reads:
# https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04
# https://docs.arbitrary.ch/security/systemd.html
# https://www.freedesktop.org/software/systemd/man/systemd.exec.html
{
DynamicUser = true;
# This set of restrictions is mostly dervied from
# - running `systemd-analyze security zkap-spending-service.service
# - running `systemd-analyze security zkap-spending-service.service`
# - Looking at the restrictions from the nixos nginx config.
AmbientCapabilities = "";
CapabilityBoundingSet = "";
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment