about summary refs log tree commit diff
path: root/nixos
diff options
context:
space:
mode:
authorMartin Milata <martin@martinmilata.cz>2020-02-11 17:55:03 +0100
committerMartin Milata <martin@martinmilata.cz>2020-03-09 23:32:54 +0100
commit57f5fb62d4bccbf758a766fe11ce662cd07726ea (patch)
tree9706a7decf4e245d8fa1e449a7af18cc54be9038 /nixos
parentb150e08169d95c5813ded16959002da38282d850 (diff)
downloadnixlib-57f5fb62d4bccbf758a766fe11ce662cd07726ea.tar
nixlib-57f5fb62d4bccbf758a766fe11ce662cd07726ea.tar.gz
nixlib-57f5fb62d4bccbf758a766fe11ce662cd07726ea.tar.bz2
nixlib-57f5fb62d4bccbf758a766fe11ce662cd07726ea.tar.lz
nixlib-57f5fb62d4bccbf758a766fe11ce662cd07726ea.tar.xz
nixlib-57f5fb62d4bccbf758a766fe11ce662cd07726ea.tar.zst
nixlib-57f5fb62d4bccbf758a766fe11ce662cd07726ea.zip
nixos/supybot: enable systemd sandboxing options
Diffstat (limited to 'nixos')
-rw-r--r--nixos/doc/manual/release-notes/rl-2009.xml10


-rw-r--r--nixos/modules/services/networking/supybot.nix33


2 files changed, 38 insertions, 5 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml
index 892208b01d7d..c2149a687037 100644
--- a/nixos/doc/manual/release-notes/rl-2009.xml
+++ b/nixos/doc/manual/release-notes/rl-2009.xml
@@ -72,6 +72,16 @@
 }</programlisting>
     </para>
    </listitem>
+   <listitem>
+    <para>
+      The <link linkend="opt-services.supybot.enable">supybot</link> module now uses <literal>/var/lib/supybot</literal>
+      as its default <link linkend="opt-services.supybot.stateDir">stateDir</link> path if <literal>stateVersion</literal>
+      is 20.09 or higher. It also enables number of
+      <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxing">systemd sandboxing options</link>
+      which may possibly interfere with some plugins. If this is the case you can disable the options through attributes in
+      <option>systemd.services.supybot.serviceConfig</option>.
+    </para>
+   </listitem>
   </itemizedlist>
  </section>
 
diff --git a/nixos/modules/services/networking/supybot.nix b/nixos/modules/services/networking/supybot.nix
index 21e9fbd6e604..fabe4d0cb2bb 100644
--- a/nixos/modules/services/networking/supybot.nix
+++ b/nixos/modules/services/networking/supybot.nix
@@ -3,13 +3,11 @@
 with lib;
 
 let
-
   cfg  = config.services.supybot;
-
+  isStateDirHome = hasPrefix "/home/" cfg.stateDir;
+  isStateDirVar = cfg.stateDir == "/var/lib/supybot";
 in
-
 {
-
   options = {
 
     services.supybot = {
@@ -43,7 +41,6 @@ in
 
   };
 
-
   config = mkIf cfg.enable {
 
     environment.systemPackages = [ pkgs.pythonPackages.limnoria ];
@@ -79,6 +76,32 @@ in
         Restart = "on-abort";
         StartLimitInterval = "5m";
         StartLimitBurst = "1";
+
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateMounts = true;
+        PrivateTmp = true;
+        ProtectControlGroups = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        RemoveIPC = true;
+        ProtectHostname = true;
+        CapabilityBoundingSet = "";
+        ProtectSystem = "full";
+      }
+      // optionalAttrs isStateDirVar {
+        StateDirectory = "supybot";
+        ProtectSystem = "strict";
+      }
+      // optionalAttrs (!isStateDirHome) {
+        ProtectHome = true;
       };
     };
 

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-09 09:18:48 +0000