nixos/plantuml-server: add hardening

author: Anthony Roussel <anthony@roussel.dev> 2023-11-14 23:58:37 +0100
committer: Anthony Roussel <anthony@roussel.dev> 2023-11-15 15:12:58 +0100
commit: 09e9d47508a1bc6c90c3c324a166d8f13b89528c (patch)
tree: 9f16ec52185de7fd1055a0569aafc44c10283153 /nixos/modules
parent: e3839eef716ba5627b141698d80adf90edd8c05c (diff)
download: nixpkgs-09e9d47508a1bc6c90c3c324a166d8f13b89528c.tar
nixpkgs-09e9d47508a1bc6c90c3c324a166d8f13b89528c.tar.gz
nixpkgs-09e9d47508a1bc6c90c3c324a166d8f13b89528c.tar.bz2
nixpkgs-09e9d47508a1bc6c90c3c324a166d8f13b89528c.tar.lz
nixpkgs-09e9d47508a1bc6c90c3c324a166d8f13b89528c.tar.xz
nixpkgs-09e9d47508a1bc6c90c3c324a166d8f13b89528c.tar.zst
nixpkgs-09e9d47508a1bc6c90c3c324a166d8f13b89528c.zip
1 files changed, 28 insertions, 9 deletions
diff --git a/nixos/modules/services/web-apps/plantuml-server.nix b/nixos/modules/services/web-apps/plantuml-server.nix
index d84e9fb683c..0c23efe47f3 100644
--- a/nixos/modules/services/web-apps/plantuml-server.nix
+++ b/nixos/modules/services/web-apps/plantuml-server.nix
@@ -106,19 +106,11 @@ in
   };
 
   config = mkIf cfg.enable {
-    users.users.${cfg.user} = {
-      isSystemUser = true;
-      group = cfg.group;
-      home = cfg.home;
-      createHome = true;
-    };
-
-    users.groups.${cfg.group} = {};
-
     systemd.services.plantuml-server = {
       description = "PlantUML server";
       wantedBy = [ "multi-user.target" ];
       path = [ cfg.home ];
+
       environment = {
         PLANTUML_LIMIT_SIZE = builtins.toString cfg.plantumlLimitSize;
         GRAPHVIZ_DOT = "${cfg.graphvizPackage}/bin/dot";
@@ -135,10 +127,37 @@ in
           jetty.http.host=${cfg.listenHost} \
           jetty.http.port=${builtins.toString cfg.listenPort}
       '';
+
       serviceConfig = {
         User = cfg.user;
         Group = cfg.group;
+        StateDirectory = mkIf (cfg.home == "/var/lib/plantuml") "plantuml";
+        StateDirectoryMode = mkIf (cfg.home == "/var/lib/plantuml") "0750";
+
+        # Hardening
+        AmbientCapabilities = [ "" ];
+        CapabilityBoundingSet = [ "" ];
+        DynamicUser = true;
+        LockPersonality = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateNetwork = false;
         PrivateTmp = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
+        RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [ "@system-service" ];
       };
     };
   };
author	Anthony Roussel <anthony@roussel.dev>	2023-11-14 23:58:37 +0100
committer	Anthony Roussel <anthony@roussel.dev>	2023-11-15 15:12:58 +0100
commit	09e9d47508a1bc6c90c3c324a166d8f13b89528c (patch)
tree	9f16ec52185de7fd1055a0569aafc44c10283153 /nixos/modules
parent	e3839eef716ba5627b141698d80adf90edd8c05c (diff)
download	nixpkgs-09e9d47508a1bc6c90c3c324a166d8f13b89528c.tar nixpkgs-09e9d47508a1bc6c90c3c324a166d8f13b89528c.tar.gz nixpkgs-09e9d47508a1bc6c90c3c324a166d8f13b89528c.tar.bz2 nixpkgs-09e9d47508a1bc6c90c3c324a166d8f13b89528c.tar.lz nixpkgs-09e9d47508a1bc6c90c3c324a166d8f13b89528c.tar.xz nixpkgs-09e9d47508a1bc6c90c3c324a166d8f13b89528c.tar.zst nixpkgs-09e9d47508a1bc6c90c3c324a166d8f13b89528c.zip