Noratrieb/vps
1
0
Fork 0
mirror of https://github.com/Noratrieb/vps.git synced 2026-01-17 10:05:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: Noratrieb:d21158e2345543411adac971e1ba9f560d9d8909
Branches Tags
Noratrieb:main
Noratrieb:dynamic-dns-updates
Noratrieb:ipv6
Noratrieb:mail
Noratrieb:nixos
Noratrieb:email
..
compare: Noratrieb:9c688d469f87537612cae5ac1ce1590ad50bda2f
Branches Tags
Noratrieb:main
Noratrieb:dynamic-dns-updates
Noratrieb:ipv6
Noratrieb:mail
Noratrieb:nixos
Noratrieb:email

No commits in common. "d21158e2345543411adac971e1ba9f560d9d8909" and "9c688d469f87537612cae5ac1ce1590ad50bda2f" have entirely different histories.
d21158e234 ... 9c688d469f

4 changed files with 2 additions and 35 deletions
Download patch file Download diff file Expand all files Collapse all files

1
nix/apps/does-it-build/default.nix
View file

@ -3,7 +3,6 @@ let
does-it-build-base = (import (pkgs.fetchFromGitHub my-projects-versions.does-it-build.fetchFromGitHub)) { inherit pkgs; }; does-it-build-base = (import (pkgs.fetchFromGitHub my-projects-versions.does-it-build.fetchFromGitHub)) { inherit pkgs; };
does-it-build = does-it-build-base.overrideAttrs (finalAttrs: previousAttrs: { does-it-build = does-it-build-base.overrideAttrs (finalAttrs: previousAttrs: {
DOES_IT_BUILD_OVERRIDE_VERSION = my-projects-versions.does-it-build.commit; DOES_IT_BUILD_OVERRIDE_VERSION = my-projects-versions.does-it-build.commit;
RUSTFLAGS = "-Cforce-frame-pointers=true";
}); });
in in
{ {

16
nix/apps/widetom/default.nix
View file

@ -8,7 +8,6 @@ let
meta = { meta = {
mainProgram = "widertom"; mainProgram = "widertom";
}; };
RUSTFLAGS = "-Cforce-frame-pointers=true";
}; };
in in
{ {
@ -32,21 +31,6 @@ in
serviceConfig = { serviceConfig = {
DynamicUser = true; DynamicUser = true;
ExecStart = lib.getExe widetom; ExecStart = lib.getExe widetom;
PrivateDevices = true;
ProtectHome = true;
ProtectClock = true;
ProtectKernelLogs = true;
ProtectHostname = true;
ProtectKernelTunables = true;
CapabilityBoundingSet = "";
ProtectProc = "noaccess";
RestrictNamespaces = true;
MemoryDenyWriteExecute = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
SystemCallArchitectures = "";
SystemCallFilter = "@system-service";
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
}; };
}; };

16
nix/modules/default/default.nix
View file

@ -188,22 +188,6 @@ in
}; };
systemd.services.alloy.serviceConfig = { systemd.services.alloy.serviceConfig = {
DynamicUser = lib.mkForce false; DynamicUser = lib.mkForce false;
PrivateDevices = true;
ProtectClock = true;
ProtectKernelLogs = true;
PrivateMounts = true;
ProtectControlGroups = true;
ProtectHostname = true;
LockPersonality = true;
ProtectKernelTunables = true;
ProtectSystem = true;
ProtectHome = true;
PrivateTmp = true;
NoNewPrivileges = true;
RestrictNamespaces = "";
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
# TODO: find what's required for /proc/kallsyms (it should be CAP_SYSLOG!)
# CapabilityBoundingSet = "CAP_SYS_PTRACE CAP_BPF CAP_SYSLOG";
}; };
environment.etc."alloy/config.alloy".text = '' environment.etc."alloy/config.alloy".text = ''
discovery.process "all" { discovery.process "all" {

4
nix/nixpkgs.json
View file

@ -1,5 +1,5 @@
{ {
"channel": "nixos-25.05", "channel": "nixos-25.05",
"lastUpdated": "2025-08-18T18:47:54.435Z", "lastUpdated": "2025-08-03T11:42:11.747Z",
"commit": "48f4c982de68d966421d2b6f1ddbeb6227cc5ceb" "commit": "59e69648d345d6e8fef86158c555730fa12af9de"
} }