From 9afcf733f3ba0dc84dfea3bc012c2779da8bd222 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Thu, 9 May 2024 17:25:59 +0200 Subject: [PATCH] nixos/pretix: update hardening - Transition from world-readable to group-readable UMask - Remove world permissions from state directory --- nixos/modules/services/web-apps/pretix.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/nixos/modules/services/web-apps/pretix.nix b/nixos/modules/services/web-apps/pretix.nix index 0e8e4cac6782..498face7456d 100644 --- a/nixos/modules/services/web-apps/pretix.nix +++ b/nixos/modules/services/web-apps/pretix.nix @@ -468,7 +468,7 @@ in StateDirectory = [ "pretix" ]; - StateDirectoryMode = "0755"; + StateDirectoryMode = "0750"; CacheDirectory = "pretix"; LogsDirectory = "pretix"; WorkingDirectory = cfg.settings.pretix.datadir; @@ -507,7 +507,7 @@ in "~@privileged" "@chown" ]; - UMask = "0022"; + UMask = "0027"; }; }; in { @@ -561,6 +561,8 @@ in wantedBy = [ "multi-user.target" ]; serviceConfig.ExecStart = "${getExe' pythonEnv "celery"} -A pretix.celery_app worker ${cfg.celery.extraArgs}"; }; + + nginx.serviceConfig.SupplementaryGroups = mkIf cfg.nginx.enable [ "pretix" ]; }; systemd.sockets.pretix-web.socketConfig = {