treewide: use bool literals for systemd

Run this from the repo root to check that there are no more remaining bool strings: grep -P '"true"|"false"' -r --exclude-dir=.git
2023-01-20 13:45:07 +01:00 · 2023-01-20 13:45:07 +01:00 · c9cfcf695f
parent f0ca489867
commit c9cfcf695f
3 changed files with 22 additions and 22 deletions
--- a/modules/btcpayserver.nix
+++ b/modules/btcpayserver.nix
@ -193,7 +193,7 @@ in {
        Restart = "on-failure";
        RestartSec = "10s";
        ReadWritePaths = [ cfg.nbxplorer.dataDir ];
-        MemoryDenyWriteExecute = "false";
+        MemoryDenyWriteExecute = false;
      } // nbLib.allowedIPAddresses cfg.nbxplorer.tor.enforce;
    };

@ -239,7 +239,7 @@ in {
        Restart = "on-failure";
        RestartSec = "10s";
        ReadWritePaths = [ cfg.btcpayserver.dataDir ];
-        MemoryDenyWriteExecute = "false";
+        MemoryDenyWriteExecute = false;
      } // nbLib.allowedIPAddresses cfg.btcpayserver.tor.enforce;
    }; in self;

--- a/modules/onion-addresses.nix
+++ b/modules/onion-addresses.nix
@ -55,8 +55,8 @@ in {
        RemainAfterExit = true;
        StateDirectory = "onion-addresses";
        StateDirectoryMode = "771";
-        PrivateNetwork = "true"; # This service needs no network access
-        PrivateUsers = "false";
+        PrivateNetwork = true; # This service needs no network access
+        PrivateUsers = false;
        CapabilityBoundingSet = "CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER";
      };
      script = ''
--- a/pkgs/lib.nix
+++ b/pkgs/lib.nix
@ -7,28 +7,28 @@ with lib;
 let self = {
  # These settings roughly follow systemd's "strict" security profile
  defaultHardening = {
-      PrivateTmp = "true";
+      PrivateTmp = true;
      ProtectSystem = "strict";
-      ProtectHome = "true";
-      NoNewPrivileges = "true";
-      PrivateDevices = "true";
-      MemoryDenyWriteExecute = "true";
-      ProtectKernelTunables = "true";
-      ProtectKernelModules = "true";
-      ProtectKernelLogs = "true";
-      ProtectClock = "true";
+      ProtectHome = true;
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      MemoryDenyWriteExecute = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
      ProtectProc = "invisible";
      ProcSubset = "pid";
-      ProtectControlGroups = "true";
+      ProtectControlGroups = true;
      RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
-      RestrictNamespaces = "true";
-      LockPersonality = "true";
+      RestrictNamespaces = true;
+      LockPersonality = true;
      IPAddressDeny = "any";
-      PrivateUsers = "true";
-      RestrictSUIDSGID = "true";
-      RemoveIPC = "true";
-      RestrictRealtime = "true";
-      ProtectHostname = "true";
+      PrivateUsers = true;
+      RestrictSUIDSGID = true;
+      RemoveIPC = true;
+      RestrictRealtime = true;
+      ProtectHostname = true;
      CapabilityBoundingSet = "";
      # @system-service whitelist and docker seccomp blacklist (except for "clone"
      # which is a core requirement for systemd services)
@ -42,7 +42,7 @@ let self = {
  };

  # nodejs applications require memory write execute for JIT compilation
-  nodejs = { MemoryDenyWriteExecute = "false"; };
+  nodejs = { MemoryDenyWriteExecute = false; };

  # Allow takes precedence over Deny.
  allowLocalIPAddresses = {