Merge pull request #158 from serokell/sereja/OPS-1161-add-withHardeni…

…ngProfile [OPS-1161] Add `withHardeningProfile` helper
serokell · Mar 13, 2024 · b6bbeda · b6bbeda
2 parents 99becbe + 048a0ad
commit b6bbeda
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 2 deletions.
diff --git a/lib/default.nix b/lib/default.nix
@@ -11,7 +11,7 @@
 
   haskell = import ./haskell.nix { inherit lib nixpkgs; inherit (cabal) getTestedWithVersions; };
 
-  systemd = import ./systemd;
+  systemd = import ./systemd { inherit lib; };
 
   types = import ./types.nix { inherit lib; };
 

diff --git a/lib/systemd/default.nix b/lib/systemd/default.nix
@@ -1,8 +1,14 @@
+{ lib }:
 {
 
   hardeningProfiles = import ./profiles.nix;
 
   hardenServices = import ./harden-services.nix;
 
   userLevelServices = import ./user-level-services.nix;
+
+  withHardeningProfile = profile: serviceConfig: lib.mkMerge [
+    (builtins.mapAttrs (_: lib.mkDefault) profile)
+    serviceConfig
+  ];
 }
diff --git a/lib/systemd/profiles.nix b/lib/systemd/profiles.nix
@@ -42,7 +42,6 @@ rec {
     #   "~CLONE_NEWUTS"
     # ];
     RestrictNamespaces = "yes";
-    DeviceAllow = "no";
     IPAddressDeny = "any";
     KeyringMode = "private";
     NoNewPrivileges = "yes";