diff options
author | Alexandre Iooss <erdnaxe@crans.org> | 2021-08-08 10:27:01 +0200 |
---|---|---|
committer | Alexandre Iooss <erdnaxe@crans.org> | 2021-08-08 15:28:27 +0200 |
commit | 9898f7e0728d45cf9cd60d340e023683b7b6472d (patch) | |
tree | 0e6e4c20d3f2fc57d691826691f428c6483d1690 /nixos/modules/services/misc/nitter.nix | |
parent | 3a3f82631fa60bece8a7d499eee29e522c770fd8 (diff) | |
download | nixpkgs-9898f7e0728d45cf9cd60d340e023683b7b6472d.tar nixpkgs-9898f7e0728d45cf9cd60d340e023683b7b6472d.tar.gz nixpkgs-9898f7e0728d45cf9cd60d340e023683b7b6472d.tar.bz2 nixpkgs-9898f7e0728d45cf9cd60d340e023683b7b6472d.tar.lz nixpkgs-9898f7e0728d45cf9cd60d340e023683b7b6472d.tar.xz nixpkgs-9898f7e0728d45cf9cd60d340e023683b7b6472d.tar.zst nixpkgs-9898f7e0728d45cf9cd60d340e023683b7b6472d.zip |
nixos/nitter: systemd unit hardening
Diffstat (limited to 'nixos/modules/services/misc/nitter.nix')
-rw-r--r-- | nixos/modules/services/misc/nitter.nix | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/nixos/modules/services/misc/nitter.nix b/nixos/modules/services/misc/nitter.nix index 095a15f21f6..301af76c336 100644 --- a/nixos/modules/services/misc/nitter.nix +++ b/nixos/modules/services/misc/nitter.nix @@ -312,6 +312,31 @@ in AmbientCapabilities = lib.mkIf (cfg.server.port < 1024) [ "CAP_NET_BIND_SERVICE" ]; Restart = "on-failure"; RestartSec = "5s"; + # Hardening + CapabilityBoundingSet = if (cfg.server.port < 1024) then [ "CAP_NET_BIND_SERVICE" ] else [ "" ]; + DeviceAllow = [ "" ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + PrivateDevices = true; + # A private user cannot have process capabilities on the host's user + # namespace and thus CAP_NET_BIND_SERVICE has no effect. + PrivateUsers = (cfg.server.port >= 1024); + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; + UMask = "0077"; }; }; |