Merge pull request #310366 from mweinelt/pretix-pretalx-homemode

pretix, pretalx: fixes, hardening
This commit is contained in:
Martin Weinelt 2024-05-10 14:50:24 +02:00 committed by GitHub
commit 7da17ece76
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 57 additions and 13 deletions

3
.github/CODEOWNERS vendored
View file

@ -345,8 +345,11 @@ pkgs/development/tools/continuous-integration/buildbot @Mic92 @zowoq
# Pretix
pkgs/by-name/pr/pretix/ @mweinelt
pkgs/by-name/pr/pretalx/ @mweinelt
nixos/modules/services/web-apps/pretix.nix @mweinelt
nixos/modules/services/web-apps/pretalx.nix @mweinelt
nixos/tests/web-apps/pretix.nix @mweinelt
nixos/tests/web-apps/pretalx.nix @mweinelt
# incus/lxc/lxd
nixos/maintainers/scripts/lxd/ @adamcstephens

View file

@ -24,7 +24,7 @@ in
{
meta = with lib; {
maintainers = teams.c3d2.members;
maintainers = with maintainers; [ hexa] ++ teams.c3d2.members;
};
options.services.pretalx = {
@ -329,10 +329,47 @@ in
serviceConfig = {
User = "pretalx";
Group = "pretalx";
StateDirectory = [ "pretalx" "pretalx/media" ];
StateDirectory = [
"pretalx"
"pretalx/media"
];
StateDirectoryMode = "0750";
LogsDirectory = "pretalx";
WorkingDirectory = cfg.settings.filesystem.data;
SupplementaryGroups = [ "redis-pretalx" ];
AmbientCapabilities = "";
CapabilityBoundingSet = [ "" ];
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
ProcSubset = "pid";
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
"@chown"
];
UMask = "0027";
};
};
in {
@ -395,6 +432,8 @@ in
wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = "${lib.getExe' pythonEnv "celery"} -A pretalx.celery_app worker ${cfg.celery.extraArgs}";
});
nginx.serviceConfig.SupplementaryGroups = lib.mkIf cfg.nginx.enable [ "pretalx" ];
};
systemd.sockets.pretalx-web.socketConfig = {
@ -403,11 +442,9 @@ in
};
users = {
groups."${cfg.group}" = {};
users."${cfg.user}" = {
groups.${cfg.group} = {};
users.${cfg.user} = {
isSystemUser = true;
createHome = true;
home = cfg.settings.filesystem.data;
inherit (cfg) group;
};
};

View file

@ -468,7 +468,7 @@ in
StateDirectory = [
"pretix"
];
StateDirectoryMode = "0755";
StateDirectoryMode = "0750";
CacheDirectory = "pretix";
LogsDirectory = "pretix";
WorkingDirectory = cfg.settings.pretix.datadir;
@ -507,7 +507,7 @@ in
"~@privileged"
"@chown"
];
UMask = "0022";
UMask = "0027";
};
};
in {
@ -561,6 +561,8 @@ in
wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = "${getExe' pythonEnv "celery"} -A pretix.celery_app worker ${cfg.celery.extraArgs}";
};
nginx.serviceConfig.SupplementaryGroups = mkIf cfg.nginx.enable [ "pretix" ];
};
systemd.sockets.pretix-web.socketConfig = {
@ -569,11 +571,9 @@ in
};
users = {
groups."${cfg.group}" = {};
users."${cfg.user}" = {
groups.${cfg.group} = {};
users.${cfg.user} = {
isSystemUser = true;
createHome = true;
home = cfg.settings.pretix.datadir;
inherit (cfg) group;
};
};

View file

@ -27,5 +27,9 @@
pretalx.wait_for_unit("pretalx-worker.service")
pretalx.wait_until_succeeds("curl -q --fail http://talks.local/orga/")
pretalx.succeed("pretalx-manage --help")
pretalx.log(pretalx.succeed("systemd-analyze security pretalx-web.service"))
'';
}

View file

@ -42,7 +42,7 @@ let
homepage = "https://github.com/pretalx/pretalx";
changelog = "https://docs.pretalx.org/en/latest/changelog.html";
license = licenses.asl20;
maintainers = teams.c3d2.members;
maintainers = with maintainers; [ hexa] ++ teams.c3d2.members;
platforms = platforms.linux;
};