diff options
author | Maciej Krüger <mkg20001@gmail.com> | 2024-01-23 20:58:21 +0100 |
---|---|---|
committer | Maciej Krüger <mkg20001@gmail.com> | 2024-04-24 19:00:37 +0200 |
commit | 9c565e0e69f468be6f453235fb8f19089930a8f5 (patch) | |
tree | 2cb1d9d45063ab6b32f4f95e5da246418814e427 /nixos/modules | |
parent | 96d1602a5f80d3dca2ca1ea706e3fee6eb0c9249 (diff) |
rustdesk-server: use DynamicUser
this was a suggestion on #272501
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/services/monitoring/rustdesk-server.nix | 6 |
1 files changed, 1 insertions, 5 deletions
diff --git a/nixos/modules/services/monitoring/rustdesk-server.nix b/nixos/modules/services/monitoring/rustdesk-server.nix index 0a6a8e71672fd..cafaeac6c3066 100644 --- a/nixos/modules/services/monitoring/rustdesk-server.nix +++ b/nixos/modules/services/monitoring/rustdesk-server.nix @@ -35,15 +35,14 @@ in { Slice = "system-rustdesk.slice"; User = "rustdesk"; Group = "rustdesk"; + DynamicUser = "yes"; Environment = []; WorkingDirectory = "/var/lib/rustdesk"; StateDirectory = "rustdesk"; StateDirectoryMode = "0750"; LockPersonality = true; - NoNewPrivileges = true; PrivateDevices = true; PrivateMounts = true; - PrivateTmp = true; PrivateUsers = true; ProtectClock = true; ProtectControlGroups = true; @@ -53,10 +52,7 @@ in { ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "invisible"; - ProtectSystem = "strict"; - RemoveIPC = true; RestrictNamespaces = true; - RestrictSUIDSGID = true; }; }; in lib.mkIf cfg.enable { |