nixos/pretalx: set up hardening

This commit is contained in:
Martin Weinelt 2024-05-09 17:24:43 +02:00
parent b4b3165619
commit 82f2cc7489
No known key found for this signature in database
GPG key ID: 87C1E9888F856759

View file

@ -337,6 +337,39 @@ in
LogsDirectory = "pretalx";
WorkingDirectory = cfg.settings.filesystem.data;
SupplementaryGroups = [ "redis-pretalx" ];
AmbientCapabilities = "";
CapabilityBoundingSet = [ "" ];
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
ProcSubset = "pid";
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
"@chown"
];
UMask = "0027";
};
};
in {
@ -399,6 +432,8 @@ in
wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = "${lib.getExe' pythonEnv "celery"} -A pretalx.celery_app worker ${cfg.celery.extraArgs}";
});
nginx.serviceConfig.SupplementaryGroups = lib.mkIf cfg.nginx.enable [ "pretalx" ];
};
systemd.sockets.pretalx-web.socketConfig = {