diff options
| author | Martin Weinelt <hexa@darmstadt.ccc.de> | 2024-05-09 17:24:43 +0200 |
|---|---|---|
| committer | Martin Weinelt <hexa@darmstadt.ccc.de> | 2024-05-09 18:20:13 +0200 |
| commit | 82f2cc74894c7e330464351e2f6ef596f49b833e (patch) | |
| tree | a531065cdaee9fab4472d917f531ca52ab0defda /nixos | |
| parent | b4b316561944d9916be8c40bcd70a7dc672ca067 (diff) | |
nixos/pretalx: set up hardening
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/web-apps/pretalx.nix | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/nixos/modules/services/web-apps/pretalx.nix b/nixos/modules/services/web-apps/pretalx.nix index e0ce6e72e1b5..ee1236391d81 100644 --- a/nixos/modules/services/web-apps/pretalx.nix +++ b/nixos/modules/services/web-apps/pretalx.nix @@ -337,6 +337,39 @@ in LogsDirectory = "pretalx"; WorkingDirectory = cfg.settings.filesystem.data; SupplementaryGroups = [ "redis-pretalx" ]; + AmbientCapabilities = ""; + CapabilityBoundingSet = [ "" ]; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + ProcSubset = "pid"; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + "@chown" + ]; + UMask = "0027"; }; }; in { @@ -399,6 +432,8 @@ in wantedBy = [ "multi-user.target" ]; serviceConfig.ExecStart = "${lib.getExe' pythonEnv "celery"} -A pretalx.celery_app worker ${cfg.celery.extraArgs}"; }); + + nginx.serviceConfig.SupplementaryGroups = lib.mkIf cfg.nginx.enable [ "pretalx" ]; }; systemd.sockets.pretalx-web.socketConfig = { |