summary refs log tree commit diff
path: root/nixos/modules/services/misc/nitter.nix
diff options
context:
space:
mode:
authorAlexandre Iooss <erdnaxe@crans.org>2021-08-08 10:27:01 +0200
committerAlexandre Iooss <erdnaxe@crans.org>2021-08-08 15:28:27 +0200
commit9898f7e0728d45cf9cd60d340e023683b7b6472d (patch)
tree0e6e4c20d3f2fc57d691826691f428c6483d1690 /nixos/modules/services/misc/nitter.nix
parent3a3f82631fa60bece8a7d499eee29e522c770fd8 (diff)
downloadnixpkgs-9898f7e0728d45cf9cd60d340e023683b7b6472d.tar
nixpkgs-9898f7e0728d45cf9cd60d340e023683b7b6472d.tar.gz
nixpkgs-9898f7e0728d45cf9cd60d340e023683b7b6472d.tar.bz2
nixpkgs-9898f7e0728d45cf9cd60d340e023683b7b6472d.tar.lz
nixpkgs-9898f7e0728d45cf9cd60d340e023683b7b6472d.tar.xz
nixpkgs-9898f7e0728d45cf9cd60d340e023683b7b6472d.tar.zst
nixpkgs-9898f7e0728d45cf9cd60d340e023683b7b6472d.zip
nixos/nitter: systemd unit hardening
Diffstat (limited to 'nixos/modules/services/misc/nitter.nix')
-rw-r--r--nixos/modules/services/misc/nitter.nix25


1 files changed, 25 insertions, 0 deletions
diff --git a/nixos/modules/services/misc/nitter.nix b/nixos/modules/services/misc/nitter.nix
index 095a15f21f6..301af76c336 100644
--- a/nixos/modules/services/misc/nitter.nix
+++ b/nixos/modules/services/misc/nitter.nix
@@ -312,6 +312,31 @@ in
           AmbientCapabilities = lib.mkIf (cfg.server.port < 1024) [ "CAP_NET_BIND_SERVICE" ];
           Restart = "on-failure";
           RestartSec = "5s";
+          # Hardening
+          CapabilityBoundingSet = if (cfg.server.port < 1024) then [ "CAP_NET_BIND_SERVICE" ] else [ "" ];
+          DeviceAllow = [ "" ];
+          LockPersonality = true;
+          MemoryDenyWriteExecute = true;
+          PrivateDevices = true;
+          # A private user cannot have process capabilities on the host's user
+          # namespace and thus CAP_NET_BIND_SERVICE has no effect.
+          PrivateUsers = (cfg.server.port >= 1024);
+          ProcSubset = "pid";
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectProc = "invisible";
+          RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          SystemCallArchitectures = "native";
+          SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
+          UMask = "0077";
         };
     };
 

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-12 20:29:51 +0000