Merge master into staging-next

author: Frederik Rietdijk <fridh@fridh.nl> 2020-11-28 08:53:47 +0100
committer: Frederik Rietdijk <fridh@fridh.nl> 2020-11-28 08:53:47 +0100
commit: 9e062723b2d60d2be85268fb7eebb28abce0b5af (patch)
tree: 691e8a0b8cb475751f75f192dd3e16f452c6fcce /nixos
parent: b2a3891e12777fa5e16bc93bc95c0d5ba256ebaf (diff)
parent: 8256fc2da56b573411144030c48812c12798676b (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/mosquitto.nix b/nixos/modules/services/networking/mosquitto.nix
index 4a85b3956dae..10b49d9b2206 100644
--- a/nixos/modules/services/networking/mosquitto.nix
+++ b/nixos/modules/services/networking/mosquitto.nix
@@ -232,6 +232,16 @@ in
         Restart = "on-failure";
         ExecStart = "${pkgs.mosquitto}/bin/mosquitto -c ${mosquittoConf}";
         ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        ReadWritePaths = "${cfg.dataDir}";
+        ProtectControlGroups = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        NoNewPrivileges = true;
       };
       preStart = ''
         rm -f ${cfg.dataDir}/passwd
author	Frederik Rietdijk <fridh@fridh.nl>	2020-11-28 08:53:47 +0100
committer	Frederik Rietdijk <fridh@fridh.nl>	2020-11-28 08:53:47 +0100
commit	9e062723b2d60d2be85268fb7eebb28abce0b5af (patch)
tree	691e8a0b8cb475751f75f192dd3e16f452c6fcce /nixos
parent	b2a3891e12777fa5e16bc93bc95c0d5ba256ebaf (diff)
parent	8256fc2da56b573411144030c48812c12798676b (diff)