diff options
author | Vincent Haupert <vincent@yaxi.tech> | 2023-02-09 09:39:38 +0100 |
---|---|---|
committer | pennae <82953136+pennae@users.noreply.github.com> | 2023-02-11 18:21:21 +0100 |
commit | 989a1a6ef5cb048daecc0101d438b26f7684f0f1 (patch) | |
tree | 2d6095daf73e14a2a115c4fb27c68d04e0998eff | |
parent | 68bfdaec5737cbd68703dc8a4e3a5f4c70ac6d73 (diff) |
nixos/envoy: use lists in `serviceConfig` where appropriate
Using type `list` instead of `str` in `serviceConfig` entries which accept multiple values allows easier extension of the unit configuration.
-rw-r--r-- | nixos/modules/services/networking/envoy.nix | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/nixos/modules/services/networking/envoy.nix b/nixos/modules/services/networking/envoy.nix index 20cfebb799144..c6817f12f1b82 100644 --- a/nixos/modules/services/networking/envoy.nix +++ b/nixos/modules/services/networking/envoy.nix @@ -56,16 +56,16 @@ in ExecStart = "${pkgs.envoy}/bin/envoy -c ${validateConfig conf}"; DynamicUser = true; Restart = "no"; - CacheDirectory = "envoy"; - LogsDirectory = "envoy"; - AmbientCapabilities = "CAP_NET_BIND_SERVICE"; - CapabilityBoundingSet = "CAP_NET_BIND_SERVICE"; - RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK AF_XDP"; + CacheDirectory = [ "envoy" ]; + LogsDirectory = [ "envoy" ]; + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" "AF_XDP" ]; SystemCallArchitectures = "native"; LockPersonality = true; RestrictNamespaces = true; RestrictRealtime = true; - PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE + PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE PrivateDevices = true; ProtectClock = true; ProtectControlGroups = true; @@ -77,7 +77,7 @@ in ProtectHostname = true; ProtectSystem = "strict"; UMask = "0066"; - SystemCallFilter = "~@clock @module @mount @reboot @swap @obsolete @cpu-emulation"; + SystemCallFilter = [ "~@clock" "~@module" "~@mount" "~@reboot" "~@swap" "~@obsolete" "~@cpu-emulation" ]; }; }; }; |