45 lines
1.9 KiB
Diff
45 lines
1.9 KiB
Diff
diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix
|
|
index 00e90f5b32b..90879dce7dc 100644
|
|
--- a/nixos/modules/services/misc/gitea.nix
|
|
+++ b/nixos/modules/services/misc/gitea.nix
|
|
@@ -175,7 +175,7 @@ in
|
|
};
|
|
|
|
type = mkOption {
|
|
- type = types.enum [ "zip" "rar" "tar" "sz" "tar.gz" "tar.xz" "tar.bz2" "tar.br" "tar.lz4" ];
|
|
+ type = types.enum [ "zip" "rar" "tar" "sz" "tar.gz" "tar.xz" "tar.bz2" "tar.br" "tar.lz4" "tar.zst" ];
|
|
default = "zip";
|
|
description = lib.mdDoc "Archive format used to store the dump file.";
|
|
};
|
|
@@ -567,7 +567,10 @@ in
|
|
Restart = "always";
|
|
# Runtime directory and mode
|
|
RuntimeDirectory = "gitea";
|
|
- RuntimeDirectoryMode = "0755";
|
|
+ RuntimeDirectoryMode = "0750";
|
|
+ # Proc filesystem
|
|
+ ProcSubset = "pid";
|
|
+ ProtectProc = "invisible";
|
|
# Access write directories
|
|
ReadWritePaths = [ cfg.dump.backupDir cfg.repositoryRoot cfg.stateDir cfg.lfs.contentDir ];
|
|
UMask = "0027";
|
|
@@ -587,15 +590,17 @@ in
|
|
ProtectKernelModules = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectControlGroups = true;
|
|
- RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
|
|
+ RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
|
|
+ RestrictNamespaces = true;
|
|
LockPersonality = true;
|
|
MemoryDenyWriteExecute = true;
|
|
RestrictRealtime = true;
|
|
RestrictSUIDSGID = true;
|
|
+ RemoveIPC = true;
|
|
PrivateMounts = true;
|
|
# System Call Filtering
|
|
SystemCallArchitectures = "native";
|
|
- SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @setuid @swap";
|
|
+ SystemCallFilter = [ "~@cpu-emulation @debug @keyring @memlock @mount @obsolete @privileged @resources @setuid" "setrlimit" ];
|
|
};
|
|
environment = {
|