commit 34ad013b10102dfd02c2aedda8af2dc4e2402457 (tree) parent 98248b2e5b76faa0e86389cdba461d77a9e99264 Author: Motiejus Jakštys <motiejus@jakstys.lt> Date: Sun, 29 Sep 2024 22:35:14 +0300 immich: less privileges Diffstat:
| M | modules/services/immich/default.nix | | | 8 | -------- |
1 file changed, 0 insertions(+), 8 deletions(-)
diff --git a/modules/services/immich/default.nix b/modules/services/immich/default.nix @@ -60,7 +60,6 @@ in name: srcpath: "${srcpath}:/var/cache/immich/bind-paths/${name}" ) cfg.bindPaths; PrivateDevices = lib.mkForce false; # /dev/fuse - ProtectHome = lib.mkForce false; # binding /home/motiejus CapabilityBoundingSet = lib.mkForce "CAP_SYS_ADMIN | CAP_SETUID | CAP_SETGID"; # testing @@ -71,13 +70,6 @@ in PrivateMounts = lib.mkForce false; ProtectClock = lib.mkForce false; ProtectControlGroups = lib.mkForce false; - ProtectHostname = lib.mkForce false; - ProtectKernelLogs = lib.mkForce false; - ProtectKernelModules = lib.mkForce false; - ProtectKernelTunables = lib.mkForce false; - RestrictNamespaces = lib.mkForce false; - RestrictRealtime = lib.mkForce false; - RestrictSUIDSGID = lib.mkForce false; }; };