wanderer/infra
1
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

nix(coredns): force user, force restart always...

Browse Source 
... and set MemoryDenyWriteExecute = true.
This commit is contained in:
surtur 2023-11-24 16:27:07 +01:00
parent ca699f1dbe
commit 588b0b5a5c
Signed by: wanderer
SSH Key Fingerprint: SHA256:MdCZyJ2sHLltrLBp0xQO0O1qTW9BT/xl5nXkDvhlMCI
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
nix/modules/coredns.nix
View File

@ -229,18 +229,19 @@ in {
WorkingDirectory = "/";
# StartLimitIntervalSec = 5;
StartLimitBurst = 10;
Restart = lib.mkDefault "always";
Restart = lib.mkForce "always";
RestartSec = 10;
# PermissionsStartOnly = true;
ProtectSystem = "strict";
LimitNOFILE = 1048576;
LimitNPROC = 512;
User = usr;
DynamicUser = lib.mkForce "no";
EnvironmentFile = config.sops.templates.corednsEnv.path;
# LoadCredential = lib.mapAttrsToList (name: path: "${name}:${path}") cfg.credentials;
DeviceAllow = "";
LockPersonality = true;
MemoryDenyWriteExecute = false;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;