motiejus/config
1
Fork 0
Code Packages Releases Activity

work with caps

Browse Source
This commit is contained in:
Motiejus Jakštys
2024-10-01 15:52:20 +03:00
parent 4b896109de
commit 6b02aec518
2 changed files with 14 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
modules/services/immich/default.nix
View File

@@ -27,7 +27,7 @@ let
}
exec setpriv \
--ruid ${immich-user} \
--inh-caps -sys_admin,-setuid,-setgid \
--inh-caps -all \
${lib.getExe immich-package}
'';
};
@@ -61,7 +61,7 @@ in
name: srcpath: "${srcpath}:/var/run/immich/bind-paths/${name}"
) cfg.bindPaths;
PrivateDevices = lib.mkForce false; # /dev/fuse
CapabilityBoundingSet = lib.mkForce "CAP_SYS_ADMIN | CAP_SETUID | CAP_SETGID";
CapabilityBoundingSet = lib.mkForce "~";
ExecStart = lib.mkForce ("!" + (lib.getExe startScript));
PrivateUsers = lib.mkForce false; # bindfs fails otherwise
};