nixos/pretalx: set up hardening
This commit is contained in:
parent
b4b3165619
commit
82f2cc7489
1 changed files with 35 additions and 0 deletions
|
@ -337,6 +337,39 @@ in
|
|||
LogsDirectory = "pretalx";
|
||||
WorkingDirectory = cfg.settings.filesystem.data;
|
||||
SupplementaryGroups = [ "redis-pretalx" ];
|
||||
AmbientCapabilities = "";
|
||||
CapabilityBoundingSet = [ "" ];
|
||||
DevicePolicy = "closed";
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
NoNewPrivileges = true;
|
||||
PrivateDevices = true;
|
||||
PrivateTmp = true;
|
||||
ProcSubset = "pid";
|
||||
ProtectControlGroups = true;
|
||||
ProtectHome = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectProc = "invisible";
|
||||
ProtectSystem = "strict";
|
||||
RemoveIPC = true;
|
||||
RestrictAddressFamilies = [
|
||||
"AF_INET"
|
||||
"AF_INET6"
|
||||
"AF_UNIX"
|
||||
];
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = [
|
||||
"@system-service"
|
||||
"~@privileged"
|
||||
"@chown"
|
||||
];
|
||||
UMask = "0027";
|
||||
};
|
||||
};
|
||||
in {
|
||||
|
@ -399,6 +432,8 @@ in
|
|||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig.ExecStart = "${lib.getExe' pythonEnv "celery"} -A pretalx.celery_app worker ${cfg.celery.extraArgs}";
|
||||
});
|
||||
|
||||
nginx.serviceConfig.SupplementaryGroups = lib.mkIf cfg.nginx.enable [ "pretalx" ];
|
||||
};
|
||||
|
||||
systemd.sockets.pretalx-web.socketConfig = {
|
||||
|
|
Loading…
Reference in a new issue