Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: eb7d36720048
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: a390213f8557
Choose a head ref
  • 2 commits
  • 1 file changed
  • 2 contributors

Commits on Apr 13, 2020

  1. mosquitto: systemd service sandboxing 

    running the service in a sandbox. read-only root file system,
with tmpfs mounted in /tmp, hidden /root and /home,
temporary /dev. the only writeable path is the data directory,
which according to my experiments is enough for the service
to work correctly.
    @snicket2100
    snicket2100 committed Apr 13, 2020
    Copy the full SHA
    2b0ee78 View commit details

Commits on Nov 27, 2020

  1. Merge pull request #85133 from snicket2100/mosquitto-service-sandboxing 

    mosquitto: systemd service sandboxing
    @SuperSandro2000
    SuperSandro2000 authored Nov 27, 2020
    Copy the full SHA
    a390213 View commit details
Showing with 10 additions and 0 deletions.
  1. +10 −0 nixos/modules/services/networking/mosquitto.nix
10 changes: 10 additions & 0 deletions nixos/modules/services/networking/mosquitto.nix
View file
Original file line number Diff line number Diff line change
@@ -232,6 +232,16 @@ in
Restart = "on-failure";
ExecStart = "${pkgs.mosquitto}/bin/mosquitto -c ${mosquittoConf}";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";

ProtectSystem = "strict";
ProtectHome = true;
PrivateDevices = true;
PrivateTmp = true;
ReadWritePaths = "${cfg.dataDir}";
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
NoNewPrivileges = true;
};
preStart = ''
rm -f ${cfg.dataDir}/passwd