cafkafk/nixpkgs
cafkafk/nixpkgs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

nixos/pretix: update hardening

Browse source 
- Transition from world-readable to group-readable UMask
- Remove world permissions from state directory
This commit is contained in:
Martin Weinelt 2024-05-09 17:25:59 +02:00
parent e2ccc754ac
commit 9afcf733f3
No known key found for this signature in database
GPG key ID: 87C1E9888F856759
1 changed files with 4 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
nixos/modules/services/web-apps/pretix.nix
View file

@ -468,7 +468,7 @@ in
StateDirectory = [ StateDirectory = [
"pretix" "pretix"
]; ];
StateDirectoryMode = "0755"; StateDirectoryMode = "0750";
CacheDirectory = "pretix"; CacheDirectory = "pretix";
LogsDirectory = "pretix"; LogsDirectory = "pretix";
WorkingDirectory = cfg.settings.pretix.datadir; WorkingDirectory = cfg.settings.pretix.datadir;
@ -507,7 +507,7 @@ in
"~@privileged" "~@privileged"
"@chown" "@chown"
]; ];
UMask = "0022"; UMask = "0027";
}; };
}; };
in { in {
@ -561,6 +561,8 @@ in
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = "${getExe' pythonEnv "celery"} -A pretix.celery_app worker ${cfg.celery.extraArgs}"; serviceConfig.ExecStart = "${getExe' pythonEnv "celery"} -A pretix.celery_app worker ${cfg.celery.extraArgs}";
}; };
nginx.serviceConfig.SupplementaryGroups = mkIf cfg.nginx.enable [ "pretix" ];
}; };
systemd.sockets.pretix-web.socketConfig = { systemd.sockets.pretix-web.socketConfig = {