diff options
author | h7x4 <h7x4@nani.wtf> | 2023-07-22 23:47:26 +0200 |
---|---|---|
committer | h7x4 <h7x4@nani.wtf> | 2023-10-16 20:38:47 +0200 |
commit | a70a3e61d77e64233b12e6ed678fbdf4b694c262 (patch) | |
tree | 1115e3e52bda626bfa3d129f77814382299f8a48 | |
parent | 6cd8da76f9fa62343e22a0cbeda3ade5345901ec (diff) | |
download | nixpkgs-a70a3e61d77e64233b12e6ed678fbdf4b694c262.tar nixpkgs-a70a3e61d77e64233b12e6ed678fbdf4b694c262.tar.gz nixpkgs-a70a3e61d77e64233b12e6ed678fbdf4b694c262.tar.bz2 nixpkgs-a70a3e61d77e64233b12e6ed678fbdf4b694c262.tar.lz nixpkgs-a70a3e61d77e64233b12e6ed678fbdf4b694c262.tar.xz nixpkgs-a70a3e61d77e64233b12e6ed678fbdf4b694c262.tar.zst nixpkgs-a70a3e61d77e64233b12e6ed678fbdf4b694c262.zip |
nixos/hedgedoc: harden systemd unit
-rw-r--r-- | nixos/modules/services/web-apps/hedgedoc.nix | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/nixos/modules/services/web-apps/hedgedoc.nix b/nixos/modules/services/web-apps/hedgedoc.nix index 2cc732636e6..3ad60678647 100644 --- a/nixos/modules/services/web-apps/hedgedoc.nix +++ b/nixos/modules/services/web-apps/hedgedoc.nix @@ -273,7 +273,46 @@ in "CMD_CONFIG_FILE=/run/${name}/config.json" "NODE_ENV=production" ]; + + # Hardening + AmbientCapabilities = ""; + CapabilityBoundingSet = ""; + LockPersonality = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + # Required for connecting to database sockets, + # and listening to unix socket at `cfg.settings.path` + "AF_UNIX" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SocketBindAllow = lib.mkIf (cfg.settings.path == null) cfg.settings.port; + SocketBindDeny = "any"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged @obsolete" + "@pkey" + ]; + UMask = "0007"; }; }; }; |