gitea actions service hardening
pre-commit / pre-commit (pull_request) Successful in 50s Details

pull/64/head
Tudor Roman 2024-01-29 23:52:51 +01:00
parent 04c9045119
commit 711c53c29e
Signed by: tudor
SSH Key Fingerprint: SHA256:3CwS9plgXBecpXImPGxDIaSktUXBejbV/zerZMqzzBk
1 changed files with 13 additions and 2 deletions

View File

@ -130,8 +130,19 @@ in {
};
systemd.services."gitea-runner-${escapedName}" = {
# make it not dump literally everything in the syslog
serviceConfig.StandardOutput = "null";
serviceConfig = flake.self.lib.harden {
# make it not dump literally everything in the syslog
StandardOutput = "null";
# undo some hardening
# Node is a JIT
MemoryDenyWriteExecute = false;
# nix emits warnings otherwise
ProcSubset = "all";
# uncomment if disabling ASLR in jobs
# LockPersonality = false;
};
after = [
"gitea-runner-${escapedName}-token.service"
"gitea-runner-nix-image.service"