Merge pull request #283298 from mkg20001/rustdesk-dynamic

rustdesk-server: use DynamicUser
author: Maciej Krüger <mkg20001@gmail.com> 2024-04-24 20:03:44 +0200
committer: GitHub <noreply@github.com> 2024-04-24 20:03:44 +0200
commit: 657e5c43be7db70c3fe64442f20934b5e82dacbb (patch)
tree: 722bce4e725d1c212f2878701d259bb7d4729a57 /nixos/modules
parent: 0da27370a1d103997c29f51b590ea25a50b7f364 (diff)
parent: 9c565e0e69f468be6f453235fb8f19089930a8f5 (diff)
1 files changed, 1 insertions, 5 deletions
diff --git a/nixos/modules/services/monitoring/rustdesk-server.nix b/nixos/modules/services/monitoring/rustdesk-server.nix
index fcfd57167dd8f..21e6128c7226a 100644
--- a/nixos/modules/services/monitoring/rustdesk-server.nix
+++ b/nixos/modules/services/monitoring/rustdesk-server.nix
@@ -53,15 +53,14 @@ in {
         Slice = "system-rustdesk.slice";
         User  = "rustdesk";
         Group = "rustdesk";
+        DynamicUser = "yes";
         Environment = [];
         WorkingDirectory = "/var/lib/rustdesk";
         StateDirectory   = "rustdesk";
         StateDirectoryMode = "0750";
         LockPersonality = true;
-        NoNewPrivileges = true;
         PrivateDevices = true;
         PrivateMounts = true;
-        PrivateTmp = true;
         PrivateUsers = true;
         ProtectClock = true;
         ProtectControlGroups = true;
@@ -71,10 +70,7 @@ in {
         ProtectKernelModules = true;
         ProtectKernelTunables = true;
         ProtectProc = "invisible";
-        ProtectSystem = "strict";
-        RemoveIPC = true;
         RestrictNamespaces = true;
-        RestrictSUIDSGID = true;
       };
     };
   in lib.mkIf cfg.enable {
author	Maciej Krüger <mkg20001@gmail.com>	2024-04-24 20:03:44 +0200
committer	GitHub <noreply@github.com>	2024-04-24 20:03:44 +0200
commit	657e5c43be7db70c3fe64442f20934b5e82dacbb (patch)
tree	722bce4e725d1c212f2878701d259bb7d4729a57 /nixos/modules
parent	0da27370a1d103997c29f51b590ea25a50b7f364 (diff)
parent	9c565e0e69f468be6f453235fb8f19089930a8f5 (diff)