aboutsummaryrefslogtreecommitdiff
path: root/nixpkgs/pkgs/tools/security/yubikey-agent/yubikey-agent.service
diff options
context:
space:
mode:
Diffstat (limited to 'nixpkgs/pkgs/tools/security/yubikey-agent/yubikey-agent.service')
-rw-r--r--nixpkgs/pkgs/tools/security/yubikey-agent/yubikey-agent.service35
1 files changed, 35 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/tools/security/yubikey-agent/yubikey-agent.service b/nixpkgs/pkgs/tools/security/yubikey-agent/yubikey-agent.service
new file mode 100644
index 00000000000..7a91f902544
--- /dev/null
+++ b/nixpkgs/pkgs/tools/security/yubikey-agent/yubikey-agent.service
@@ -0,0 +1,35 @@
+[Unit]
+Description=Seamless ssh-agent for YubiKeys
+Documentation=https://filippo.io/yubikey-agent
+
+[Service]
+ExecStart=yubikey-agent -l %t/yubikey-agent/yubikey-agent.sock
+ExecReload=/bin/kill -HUP $MAINPID
+ProtectSystem=strict
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectControlGroups=yes
+ProtectClock=yes
+ProtectHostname=yes
+PrivateTmp=yes
+PrivateDevices=yes
+PrivateUsers=yes
+IPAddressDeny=any
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+LockPersonality=yes
+CapabilityBoundingSet=
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+SystemCallErrorNumber=EPERM
+SystemCallArchitectures=native
+NoNewPrivileges=yes
+KeyringMode=private
+UMask=0177
+RuntimeDirectory=yubikey-agent
+
+[Install]
+WantedBy=default.target
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-19 08:46:44 +0000