From c9cfcf695fbc67aba9e781b8ec72fef6d4c8dbfe Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Fri, 20 Jan 2023 13:45:07 +0100 Subject: [PATCH] treewide: use bool literals for systemd Run this from the repo root to check that there are no more remaining bool strings: grep -P '"true"|"false"' -r --exclude-dir=.git --- modules/btcpayserver.nix | 4 ++-- modules/onion-addresses.nix | 4 ++-- pkgs/lib.nix | 36 ++++++++++++++++++------------------ 3 files changed, 22 insertions(+), 22 deletions(-) diff --git a/modules/btcpayserver.nix b/modules/btcpayserver.nix index 3e04f87..325a1a8 100644 --- a/modules/btcpayserver.nix +++ b/modules/btcpayserver.nix @@ -193,7 +193,7 @@ in { Restart = "on-failure"; RestartSec = "10s"; ReadWritePaths = [ cfg.nbxplorer.dataDir ]; - MemoryDenyWriteExecute = "false"; + MemoryDenyWriteExecute = false; } // nbLib.allowedIPAddresses cfg.nbxplorer.tor.enforce; }; @@ -239,7 +239,7 @@ in { Restart = "on-failure"; RestartSec = "10s"; ReadWritePaths = [ cfg.btcpayserver.dataDir ]; - MemoryDenyWriteExecute = "false"; + MemoryDenyWriteExecute = false; } // nbLib.allowedIPAddresses cfg.btcpayserver.tor.enforce; }; in self; diff --git a/modules/onion-addresses.nix b/modules/onion-addresses.nix index abc35c2..cff564f 100644 --- a/modules/onion-addresses.nix +++ b/modules/onion-addresses.nix @@ -55,8 +55,8 @@ in { RemainAfterExit = true; StateDirectory = "onion-addresses"; StateDirectoryMode = "771"; - PrivateNetwork = "true"; # This service needs no network access - PrivateUsers = "false"; + PrivateNetwork = true; # This service needs no network access + PrivateUsers = false; CapabilityBoundingSet = "CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER"; }; script = '' diff --git a/pkgs/lib.nix b/pkgs/lib.nix index 4a6970d..ab6b23e 100644 --- a/pkgs/lib.nix +++ b/pkgs/lib.nix @@ -7,28 +7,28 @@ with lib; let self = { # These settings roughly follow systemd's "strict" security profile defaultHardening = { - PrivateTmp = "true"; + PrivateTmp = true; ProtectSystem = "strict"; - ProtectHome = "true"; - NoNewPrivileges = "true"; - PrivateDevices = "true"; - MemoryDenyWriteExecute = "true"; - ProtectKernelTunables = "true"; - ProtectKernelModules = "true"; - ProtectKernelLogs = "true"; - ProtectClock = "true"; + ProtectHome = true; + NoNewPrivileges = true; + PrivateDevices = true; + MemoryDenyWriteExecute = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectClock = true; ProtectProc = "invisible"; ProcSubset = "pid"; - ProtectControlGroups = "true"; + ProtectControlGroups = true; RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; - RestrictNamespaces = "true"; - LockPersonality = "true"; + RestrictNamespaces = true; + LockPersonality = true; IPAddressDeny = "any"; - PrivateUsers = "true"; - RestrictSUIDSGID = "true"; - RemoveIPC = "true"; - RestrictRealtime = "true"; - ProtectHostname = "true"; + PrivateUsers = true; + RestrictSUIDSGID = true; + RemoveIPC = true; + RestrictRealtime = true; + ProtectHostname = true; CapabilityBoundingSet = ""; # @system-service whitelist and docker seccomp blacklist (except for "clone" # which is a core requirement for systemd services) @@ -42,7 +42,7 @@ let self = { }; # nodejs applications require memory write execute for JIT compilation - nodejs = { MemoryDenyWriteExecute = "false"; }; + nodejs = { MemoryDenyWriteExecute = false; }; # Allow takes precedence over Deny. allowLocalIPAddresses = {