nixos/pocket-id: harden after backend-frontend merge

2025-06-11 02:15:21 +09:00 · 2025-06-02 01:20:23 +02:00 · 2025-06-02 01:20:23 +02:00 · 259a75fb1f
commit 259a75fb1f
parent f4249b03a9
1 changed files with 5 additions and 4 deletions
--- a/nixos/modules/services/security/pocket-id.nix
+++ b/nixos/modules/services/security/pocket-id.nix
@ -174,12 +174,12 @@ in
          CapabilityBoundingSet = "";
          DeviceAllow = "";
          DevicePolicy = "closed";
-          #IPAddressDeny = "any"; # communicates with the frontend
+          #IPAddressDeny = "any"; # provides the service through network
          LockPersonality = true;
          MemoryDenyWriteExecute = true;
          NoNewPrivileges = true;
          PrivateDevices = true;
-          PrivateNetwork = false; # communicates with the frontend
+          PrivateNetwork = false; # provides the service through network
          PrivateTmp = true;
          PrivateUsers = true;
          ProcSubset = "pid";
@ -191,7 +191,8 @@ in
          ProtectKernelModules = true;
          ProtectKernelTunables = true;
          ProtectProc = "invisible";
-          ProtectSystem = "full"; # needs to write in cfg.dataDir
+          ProtectSystem = "strict";
+          ReadWritePaths = [ cfg.dataDir ];
          RemoveIPC = true;
          RestrictAddressFamilies = [
            "AF_INET"
@ -212,7 +213,7 @@ in
            "@privileged"
            "@raw-io"
            "@reboot"
-            #"@resources" # vm test segfaults
+            "@resources"
            "@swap"
          ];
          UMask = "0077";