Merge pull request #202187 from hmenke/alps

nixos/modules/services/web-apps/alps.nix

@@ -98,11 +98,11 @@ in {
 
       serviceConfig = {
         ExecStart = "${cfg.package}/bin/alps ${escapeShellArgs cfg.args}";
+        AmbientCapabilities = "";
+        CapabilityBoundingSet = "";
         DynamicUser = true;
-        ## This is desirable but would restrict bindIP to 127.0.0.1
-        #IPAddressAllow = "localhost";
-        #IPAddressDeny = "any";
         LockPersonality = true;
+        MemoryDenyWriteExecute = true;
         NoNewPrivileges = true;
         PrivateDevices = true;
         PrivateIPC = true;
@@ -122,8 +122,10 @@ in {
         RestrictNamespaces = true;
         RestrictRealtime = true;
         RestrictSUIDSGID = true;
+        SocketBindAllow = cfg.port;
+        SocketBindDeny = "any";
         SystemCallArchitectures = "native";
-        SystemCallFilter = [ "@system-service @resources" "~@privileged @obsolete" ];
+        SystemCallFilter = [ "@system-service" "~@privileged @obsolete" ];
       };
     };
   };

nixos/tests/alps.nix

@@ -90,7 +90,7 @@ import ./make-test-python.nix ({ pkgs, ... }: {
     };
   };
 
-  testScript = ''
+  testScript = { nodes, ... }: ''
     server.start()
     server.wait_for_unit("postfix.service")
     server.wait_for_unit("dovecot2.service")
@@ -99,6 +99,7 @@ import ./make-test-python.nix ({ pkgs, ... }: {
 
     client.start()
     client.wait_for_unit("alps.service")
+    client.wait_for_open_port(${toString nodes.client.config.services.alps.port})
     client.succeed("test-alps-login")
   '';
 })