From fd81d61a56145b7beb5897bc98d582d239a6daa0 Mon Sep 17 00:00:00 2001 From: h7x4 Date: Tue, 10 Dec 2024 19:33:11 +0100 Subject: [PATCH] common/logrotate: remove custom hardening now that nixpkgs provides it --- base/services/logrotate.nix | 35 +---------------------------------- 1 file changed, 1 insertion(+), 34 deletions(-) diff --git a/base/services/logrotate.nix b/base/services/logrotate.nix index f315638..fe61c03 100644 --- a/base/services/logrotate.nix +++ b/base/services/logrotate.nix @@ -1,41 +1,8 @@ { ... }: { - # source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service systemd.services.logrotate = { documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ]; unitConfig.RequiresMountsFor = "/var/log"; - serviceConfig = { - Nice = 19; - IOSchedulingClass = "best-effort"; - IOSchedulingPriority = 7; - - ReadWritePaths = [ "/var/log" ]; - - AmbientCapabilities = [ "" ]; - CapabilityBoundingSet = [ "" ]; - DeviceAllow = [ "" ]; - LockPersonality = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; # disable for third party rotate scripts - PrivateDevices = true; - PrivateNetwork = true; # disable for mail delivery - PrivateTmp = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; # disable for userdir logs - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - ProtectSystem = "full"; - RestrictNamespaces = true; - RestrictRealtime = true; - SocketBindDeny = [ "any" ]; - SystemCallArchitectures = "native"; - SystemCallFilter = [ - "@system-service" - ]; - }; + serviceConfig.ReadWritePaths = [ "/var/log" ]; }; }