41 lines
1.3 KiB
Nix
41 lines
1.3 KiB
Nix
{ config, pkgs, lib, ... }: {
|
|
containers.snowflake = {
|
|
autoStart = true;
|
|
ephemeral = true;
|
|
config = {
|
|
systemd.services.snowflake = {
|
|
wantedBy = [ "multi-user.target" ];
|
|
serviceConfig = {
|
|
IPAccounting = "yes";
|
|
ExecStart = "${pkgs.snowflake}/bin/proxy";
|
|
DynamicUser = "yes";
|
|
# Read-only filesystem
|
|
ProtectSystem = "strict";
|
|
PrivateDevices = "yes";
|
|
ProtectKernelTunables = "yes";
|
|
ProtectControlGroups = "yes";
|
|
ProtectHome = "yes";
|
|
# Deny access to as many things as possible
|
|
NoNewPrivileges = "yes";
|
|
PrivateUsers = "yes";
|
|
LockPersonality = "yes";
|
|
MemoryDenyWriteExecute = "yes";
|
|
ProtectClock = "yes";
|
|
ProtectHostname = "yes";
|
|
ProtectKernelLogs = "yes";
|
|
ProtectKernelModules = "yes";
|
|
RestrictNamespaces = "yes";
|
|
RestrictRealtime = "yes";
|
|
RestrictSUIDSGID = "yes";
|
|
SystemCallArchitectures = "native";
|
|
SystemCallFilter =
|
|
"~@chown @clock @cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @setuid @swap @privileged @resources";
|
|
CapabilityBoundingSet = "";
|
|
ProtectProc = "invisible";
|
|
ProcSubset = "pid";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|