diff options
author | Frederik Rietdijk <fridh@fridh.nl> | 2020-11-28 08:53:47 +0100 |
---|---|---|
committer | Frederik Rietdijk <fridh@fridh.nl> | 2020-11-28 08:53:47 +0100 |
commit | 9e062723b2d60d2be85268fb7eebb28abce0b5af (patch) | |
tree | 691e8a0b8cb475751f75f192dd3e16f452c6fcce /nixos/modules | |
parent | b2a3891e12777fa5e16bc93bc95c0d5ba256ebaf (diff) | |
parent | 8256fc2da56b573411144030c48812c12798676b (diff) |
Merge master into staging-next
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/services/networking/mosquitto.nix | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/mosquitto.nix b/nixos/modules/services/networking/mosquitto.nix index 4a85b3956dae..10b49d9b2206 100644 --- a/nixos/modules/services/networking/mosquitto.nix +++ b/nixos/modules/services/networking/mosquitto.nix @@ -232,6 +232,16 @@ in Restart = "on-failure"; ExecStart = "${pkgs.mosquitto}/bin/mosquitto -c ${mosquittoConf}"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + + ProtectSystem = "strict"; + ProtectHome = true; + PrivateDevices = true; + PrivateTmp = true; + ReadWritePaths = "${cfg.dataDir}"; + ProtectControlGroups = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + NoNewPrivileges = true; }; preStart = '' rm -f ${cfg.dataDir}/passwd |