From a70a3e61d77e64233b12e6ed678fbdf4b694c262 Mon Sep 17 00:00:00 2001 From: h7x4 Date: Sat, 22 Jul 2023 23:47:26 +0200 Subject: nixos/hedgedoc: harden systemd unit --- nixos/modules/services/web-apps/hedgedoc.nix | 39 ++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) (limited to 'nixos/modules/services/web-apps') diff --git a/nixos/modules/services/web-apps/hedgedoc.nix b/nixos/modules/services/web-apps/hedgedoc.nix index 2cc732636e6d..3ad60678647d 100644 --- a/nixos/modules/services/web-apps/hedgedoc.nix +++ b/nixos/modules/services/web-apps/hedgedoc.nix @@ -273,7 +273,46 @@ in "CMD_CONFIG_FILE=/run/${name}/config.json" "NODE_ENV=production" ]; + + # Hardening + AmbientCapabilities = ""; + CapabilityBoundingSet = ""; + LockPersonality = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + # Required for connecting to database sockets, + # and listening to unix socket at `cfg.settings.path` + "AF_UNIX" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SocketBindAllow = lib.mkIf (cfg.settings.path == null) cfg.settings.port; + SocketBindDeny = "any"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged @obsolete" + "@pkey" + ]; + UMask = "0007"; }; }; }; -- cgit 1.4.1