diff options
| author | Artturi <Artturin@artturin.com> | 2023-04-18 21:52:21 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-04-18 21:52:21 +0300 |
| commit | 9a1f5d4248a5038b49b632444eca9ab5784253b4 (patch) | |
| tree | 8c711bf844bd540a769e59e61bc6d79e8574fb1a /nixos | |
| parent | 9f707051a908364bc7e860df6f40e8680bd0f1b7 (diff) | |
| parent | eac28f38d6b78743accda7831613700cfd236a5c (diff) | |
Merge pull request #226889 from Artturin/fixlints2
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/networking/wstunnel.nix | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/nixos/modules/services/networking/wstunnel.nix b/nixos/modules/services/networking/wstunnel.nix index 440b617f60a39..067d5df487255 100644 --- a/nixos/modules/services/networking/wstunnel.nix +++ b/nixos/modules/services/networking/wstunnel.nix @@ -294,7 +294,7 @@ let DynamicUser = true; SupplementaryGroups = optional (serverCfg.useACMEHost != null) certConfig.group; PrivateTmp = true; - AmbientCapabilities = optional (serverCfg.listen.port < 1024) [ "CAP_NET_BIND_SERVICE" ]; + AmbientCapabilities = optionals (serverCfg.listen.port < 1024) [ "CAP_NET_BIND_SERVICE" ]; NoNewPrivileges = true; RestrictNamespaces = "uts ipc pid user cgroup"; ProtectSystem = "strict"; @@ -340,7 +340,7 @@ let EnvironmentFile = optional (clientCfg.environmentFile != null) clientCfg.environmentFile; DynamicUser = true; PrivateTmp = true; - AmbientCapabilities = (optional (clientCfg.soMark != null) [ "CAP_NET_ADMIN" ]) ++ (optional ((clientCfg.dynamicToRemote.port or 1024) < 1024 || (any (x: x.local.port < 1024) clientCfg.localToRemote)) [ "CAP_NET_BIND_SERVICE" ]); + AmbientCapabilities = (optionals (clientCfg.soMark != null) [ "CAP_NET_ADMIN" ]) ++ (optionals ((clientCfg.dynamicToRemote.port or 1024) < 1024 || (any (x: x.local.port < 1024) clientCfg.localToRemote)) [ "CAP_NET_BIND_SERVICE" ]); NoNewPrivileges = true; RestrictNamespaces = "uts ipc pid user cgroup"; ProtectSystem = "strict"; |