Sanbox ddns service and fix auth problems

2023-06-21 16:31:51 +02:00 · 2023-06-21 16:31:51 +02:00 · dc83848eb0
commit dc83848eb0
parent f3098f45b6
2 changed files with 23 additions and 11 deletions
--- a/nixos/modules/ddns.nix
+++ b/nixos/modules/ddns.nix
@ -17,7 +17,20 @@ with lib; let
    systemd.services = listToAttrs (forEach domains (domain:
      nameValuePair "ddns-${domain}"
        {
-          serviceConfig.Type = "oneshot";
+          serviceConfig = {
+            Type = "oneshot";
+            PrivateTmp = true;
+            PrivateDevices = true;
+            PrivateUsers = true;
+            PrivateMounts = true;
+            PrivateIPC = true;
+            ProtectHome = true;
+            ProtectSystem = "strict";
+            ProtectKernelTunables = true;
+            BindReadOnlyPaths = [ credentialsPath ];
+            NoNewPrivileges = true;
+            CapabilitBoundingSet = [ ];
+          };
          script = ''
            function url() {
              echo "https://svc.joker.com/nic/update?username=$1&password=$2&hostname=$3"