Merge pull request #310366 from mweinelt/pretix-pretalx-homemode
pretix, pretalx: fixes, hardening
This commit is contained in:
commit
7da17ece76
5 changed files with 57 additions and 13 deletions
3
.github/CODEOWNERS
vendored
3
.github/CODEOWNERS
vendored
|
@ -345,8 +345,11 @@ pkgs/development/tools/continuous-integration/buildbot @Mic92 @zowoq
|
|||
|
||||
# Pretix
|
||||
pkgs/by-name/pr/pretix/ @mweinelt
|
||||
pkgs/by-name/pr/pretalx/ @mweinelt
|
||||
nixos/modules/services/web-apps/pretix.nix @mweinelt
|
||||
nixos/modules/services/web-apps/pretalx.nix @mweinelt
|
||||
nixos/tests/web-apps/pretix.nix @mweinelt
|
||||
nixos/tests/web-apps/pretalx.nix @mweinelt
|
||||
|
||||
# incus/lxc/lxd
|
||||
nixos/maintainers/scripts/lxd/ @adamcstephens
|
||||
|
|
|
@ -24,7 +24,7 @@ in
|
|||
|
||||
{
|
||||
meta = with lib; {
|
||||
maintainers = teams.c3d2.members;
|
||||
maintainers = with maintainers; [ hexa] ++ teams.c3d2.members;
|
||||
};
|
||||
|
||||
options.services.pretalx = {
|
||||
|
@ -329,10 +329,47 @@ in
|
|||
serviceConfig = {
|
||||
User = "pretalx";
|
||||
Group = "pretalx";
|
||||
StateDirectory = [ "pretalx" "pretalx/media" ];
|
||||
StateDirectory = [
|
||||
"pretalx"
|
||||
"pretalx/media"
|
||||
];
|
||||
StateDirectoryMode = "0750";
|
||||
LogsDirectory = "pretalx";
|
||||
WorkingDirectory = cfg.settings.filesystem.data;
|
||||
SupplementaryGroups = [ "redis-pretalx" ];
|
||||
AmbientCapabilities = "";
|
||||
CapabilityBoundingSet = [ "" ];
|
||||
DevicePolicy = "closed";
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
NoNewPrivileges = true;
|
||||
PrivateDevices = true;
|
||||
PrivateTmp = true;
|
||||
ProcSubset = "pid";
|
||||
ProtectControlGroups = true;
|
||||
ProtectHome = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectProc = "invisible";
|
||||
ProtectSystem = "strict";
|
||||
RemoveIPC = true;
|
||||
RestrictAddressFamilies = [
|
||||
"AF_INET"
|
||||
"AF_INET6"
|
||||
"AF_UNIX"
|
||||
];
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = [
|
||||
"@system-service"
|
||||
"~@privileged"
|
||||
"@chown"
|
||||
];
|
||||
UMask = "0027";
|
||||
};
|
||||
};
|
||||
in {
|
||||
|
@ -395,6 +432,8 @@ in
|
|||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig.ExecStart = "${lib.getExe' pythonEnv "celery"} -A pretalx.celery_app worker ${cfg.celery.extraArgs}";
|
||||
});
|
||||
|
||||
nginx.serviceConfig.SupplementaryGroups = lib.mkIf cfg.nginx.enable [ "pretalx" ];
|
||||
};
|
||||
|
||||
systemd.sockets.pretalx-web.socketConfig = {
|
||||
|
@ -403,11 +442,9 @@ in
|
|||
};
|
||||
|
||||
users = {
|
||||
groups."${cfg.group}" = {};
|
||||
users."${cfg.user}" = {
|
||||
groups.${cfg.group} = {};
|
||||
users.${cfg.user} = {
|
||||
isSystemUser = true;
|
||||
createHome = true;
|
||||
home = cfg.settings.filesystem.data;
|
||||
inherit (cfg) group;
|
||||
};
|
||||
};
|
||||
|
|
|
@ -468,7 +468,7 @@ in
|
|||
StateDirectory = [
|
||||
"pretix"
|
||||
];
|
||||
StateDirectoryMode = "0755";
|
||||
StateDirectoryMode = "0750";
|
||||
CacheDirectory = "pretix";
|
||||
LogsDirectory = "pretix";
|
||||
WorkingDirectory = cfg.settings.pretix.datadir;
|
||||
|
@ -507,7 +507,7 @@ in
|
|||
"~@privileged"
|
||||
"@chown"
|
||||
];
|
||||
UMask = "0022";
|
||||
UMask = "0027";
|
||||
};
|
||||
};
|
||||
in {
|
||||
|
@ -561,6 +561,8 @@ in
|
|||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig.ExecStart = "${getExe' pythonEnv "celery"} -A pretix.celery_app worker ${cfg.celery.extraArgs}";
|
||||
};
|
||||
|
||||
nginx.serviceConfig.SupplementaryGroups = mkIf cfg.nginx.enable [ "pretix" ];
|
||||
};
|
||||
|
||||
systemd.sockets.pretix-web.socketConfig = {
|
||||
|
@ -569,11 +571,9 @@ in
|
|||
};
|
||||
|
||||
users = {
|
||||
groups."${cfg.group}" = {};
|
||||
users."${cfg.user}" = {
|
||||
groups.${cfg.group} = {};
|
||||
users.${cfg.user} = {
|
||||
isSystemUser = true;
|
||||
createHome = true;
|
||||
home = cfg.settings.pretix.datadir;
|
||||
inherit (cfg) group;
|
||||
};
|
||||
};
|
||||
|
|
|
@ -27,5 +27,9 @@
|
|||
pretalx.wait_for_unit("pretalx-worker.service")
|
||||
|
||||
pretalx.wait_until_succeeds("curl -q --fail http://talks.local/orga/")
|
||||
|
||||
pretalx.succeed("pretalx-manage --help")
|
||||
|
||||
pretalx.log(pretalx.succeed("systemd-analyze security pretalx-web.service"))
|
||||
'';
|
||||
}
|
||||
|
|
|
@ -42,7 +42,7 @@ let
|
|||
homepage = "https://github.com/pretalx/pretalx";
|
||||
changelog = "https://docs.pretalx.org/en/latest/changelog.html";
|
||||
license = licenses.asl20;
|
||||
maintainers = teams.c3d2.members;
|
||||
maintainers = with maintainers; [ hexa] ++ teams.c3d2.members;
|
||||
platforms = platforms.linux;
|
||||
};
|
||||
|
||||
|
|
Loading…
Reference in a new issue