commit 8800a014e0ac154b818cb092fff3db93cfbad8ca (tree) parent ba059e90491e9f6cffdfd1058a790e1b23969e29 Author: Motiejus Jakštys <motiejus@jakstys.lt> Date: Wed, 3 Jun 2026 05:11:19 +0000 timelapse-r11: allow access by motiejus Diffstat:
| M | modules/services/timelapse-r11/default.nix | | | 25 | +++++++++++++++++++++++++ |
1 file changed, 25 insertions(+), 0 deletions(-)
diff --git a/modules/services/timelapse-r11/default.nix b/modules/services/timelapse-r11/default.nix @@ -44,6 +44,10 @@ in config = lib.mkIf cfg.enable { mj.base.unitstatus.units = [ "timelapse-r11" ]; + users.groups.timelapse-r11 = { + members = [ "motiejus" ]; + }; + systemd.timers.timelapse-r11 = { timerConfig.OnCalendar = cfg.onCalendar; wantedBy = [ "timers.target" ]; @@ -58,9 +62,30 @@ in LoadCredential = [ "secrets.env:${cfg.secretsEnv}" ]; RuntimeDirectory = "timelapse-r11"; StateDirectory = "timelapse-r11"; + StateDirectoryMode = "0750"; DynamicUser = true; + Group = "timelapse-r11"; Type = "simple"; RuntimeMaxSec = "55s"; + + # From/instead of DynamicUser=true + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + ProtectClock = true; + ProtectHostname = true; + RestrictSUIDSGID = true; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + SystemCallFilter = [ "@system-service" "~@privileged" ]; + SystemCallArchitectures = "native"; + PrivateUsers = true; + PrivateDevices = true; + MemoryDenyWriteExecute = true; + LockPersonality = true; + CapabilityBoundingSet = ""; }; };