These options are a good start for sandboxing the service. It's planned
to set `ProtectSystem` to `strict` instead of `full`, but that requires
specific directories to be configured as writable. It's also planned to
filter system calls. However, that requires more testing but it
shouldn't prevent us from applying these options for now and add others
later.
In my tests, Redmine only bound to an IPv4 address and Unix socket,
which is why I restricted the address families to these both.
The command `systemd-analyze security redmine.service` reports an
overall exposure level of 2.9 with this patch.
Signed-off-by: Felix Singer <felixsinger@posteo.net>
In order to not expose Redmine over all interfaces, allow configuring an
IP address it should bind to. Listen to 0.0.0.0 by default.
Signed-off-by: Felix Singer <felixsinger@posteo.net>
The majority of users these days will install NixOS on SSD/NVME based
storage. Enabling fstrim ensures that the TRIM operation on this type of
storage is run at least once a week. This will improve performance and
life time of said devices. This also works in virtual machines as
formats such as qcow2 or vmdk support TRIM.
Ubuntu has a similar systemd timer also for quite a while enabled by
default.
Enabling this service will not increase the dependency closure as
util-linux is already part of the base system.
In case only filesystems that are not supported by fstrim are used, the
overhead is negelible as fstrim run in less than a second once a week.
These can be either an integer or a range.
Range options are necessary for `FREE_LIMIT` to take effect when used in
conjunction with `TIMELINE_LIMIT_*`.
In preparation for the deprecation of `stdenv.isX`.
These shorthands are not conducive to cross-compilation because they
hide the platforms.
Darwin might get cross-compilation for which the continued usage of `stdenv.isDarwin` will get in the way
One example of why this is bad and especially affects compiler packages
https://www.github.com/NixOS/nixpkgs/pull/343059
There are too many files to go through manually but a treewide should
get users thinking when they see a `hostPlatform.isX` in a place where it
doesn't make sense.
```
fd --type f "\.nix" | xargs sd --fixed-strings "stdenv.is" "stdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "stdenv'.is" "stdenv'.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "clangStdenv.is" "clangStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "gccStdenv.is" "gccStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "stdenvNoCC.is" "stdenvNoCC.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "inherit (stdenv) is" "inherit (stdenv.hostPlatform) is"
fd --type f "\.nix" | xargs sd --fixed-strings "buildStdenv.is" "buildStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "effectiveStdenv.is" "effectiveStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "originalStdenv.is" "originalStdenv.hostPlatform.is"
```
I'm maintaining the associated packages. So it makes sense to add myself
to their modules as well.
Signed-off-by: Felix Singer <felixsinger@posteo.net>
Follow up to #342584.
Similarly to that PR, it is surprising that software which was installed by the user isn't available to a script run over ssm by default.
When executing commands with ssm, users will now have more predictable access to baked-in software instead of an extremely bare-minimum set currently there.