wanderer/infra
1
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

nix(coredns): force user, force restart always...

Browse Source 
... and set MemoryDenyWriteExecute = true.
This commit is contained in:
surtur 2023-11-24 16:27:07 +01:00
parent ca699f1dbe
commit 588b0b5a5c
Signed by: wanderer
SSH Key Fingerprint: SHA256:MdCZyJ2sHLltrLBp0xQO0O1qTW9BT/xl5nXkDvhlMCI
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
nix/modules/coredns.nix
View File

@ -229,18 +229,19 @@ in {
WorkingDirectory = "/"; WorkingDirectory = "/";
# StartLimitIntervalSec = 5; # StartLimitIntervalSec = 5;
StartLimitBurst = 10; StartLimitBurst = 10;
Restart = lib.mkDefault "always"; Restart = lib.mkForce "always";
RestartSec = 10; RestartSec = 10;
# PermissionsStartOnly = true; # PermissionsStartOnly = true;
ProtectSystem = "strict"; ProtectSystem = "strict";
LimitNOFILE = 1048576; LimitNOFILE = 1048576;
LimitNPROC = 512; LimitNPROC = 512;
User = usr; User = usr;
DynamicUser = lib.mkForce "no";
EnvironmentFile = config.sops.templates.corednsEnv.path; EnvironmentFile = config.sops.templates.corednsEnv.path;
# LoadCredential = lib.mapAttrsToList (name: path: "${name}:${path}") cfg.credentials; # LoadCredential = lib.mapAttrsToList (name: path: "${name}:${path}") cfg.credentials;
DeviceAllow = ""; DeviceAllow = "";
LockPersonality = true; LockPersonality = true;
MemoryDenyWriteExecute = false; MemoryDenyWriteExecute = true;
NoNewPrivileges = true; NoNewPrivileges = true;
PrivateDevices = true; PrivateDevices = true;
PrivateTmp = true; PrivateTmp = true;