Dawoox/nixpkgs
1
1
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

nixos/pgadmin: Apply more hardening settings (#449299)

Browse Source
This commit is contained in:
Florian
2025-10-14 04:58:50 +00:00
committed by GitHub
parent 9b2025ae33 3d4b08cd40
commit 9768ddcc51
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
nixos/modules/services/admin/pgadmin.nix
View File

@@ -208,7 +208,9 @@ in
User = "pgadmin";
DynamicUser = true;
LogsDirectory = "pgadmin";
LogsDirectoryMode = "750";
StateDirectory = "pgadmin";
StateDirectoryMode = "750";
ExecStart = "${cfg.package}/bin/pgadmin4";
LoadCredential = [
"initial_password:${cfg.initialPasswordFile}"
@@ -218,17 +220,20 @@ in
CapabilityBoundingSet = "";
LockPersonality = true;
MemoryDenyWriteExecute = true;
MountAPIVFS = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectControlGroups = "strict";
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "full";
RemoveIPC = true;
RestrictAddressFamilies = [