public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/iodine: hardening

Browse Source
This commit is contained in:
Symphorien Gibol 2020-02-02 12:00:00 +00:00
parent 7437bff7d1
commit 00a91d919d
1 changed files with 38 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
nixos/modules/services/networking/iodine.nix
View File

@ -9,6 +9,8 @@ let
iodinedUser = "iodined"; iodinedUser = "iodined";
/* is this path made unreadable by ProtectHome = true ? */
isProtected = x: hasPrefix "/root" x || hasPrefix "/home" x;
in in
{ {
imports = [ imports = [
@ -134,6 +136,24 @@ in
serviceConfig = { serviceConfig = {
RestartSec = "30s"; RestartSec = "30s";
Restart = "always"; Restart = "always";
# hardening :
# Filesystem access
ProtectSystem = "strict";
ProtectHome = if isProtected cfg.passwordFile then "read-only" else "true" ;
PrivateTmp = true;
ReadWritePaths = "/dev/net/tun";
PrivateDevices = false;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
# Caps
NoNewPrivileges = true;
# Misc.
LockPersonality = true;
RestrictRealtime = true;
PrivateMounts = true;
MemoryDenyWriteExecute = true;
}; };
}; };
in in
@ -147,6 +167,24 @@ in
after = [ "network.target" ]; after = [ "network.target" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
script = "exec ${pkgs.iodine}/bin/iodined -f -u ${iodinedUser} ${cfg.server.extraConfig} ${optionalString (cfg.server.passwordFile != "") "< \"${cfg.server.passwordFile}\""} ${cfg.server.ip} ${cfg.server.domain}"; script = "exec ${pkgs.iodine}/bin/iodined -f -u ${iodinedUser} ${cfg.server.extraConfig} ${optionalString (cfg.server.passwordFile != "") "< \"${cfg.server.passwordFile}\""} ${cfg.server.ip} ${cfg.server.domain}";
serviceConfig = {
# Filesystem access
ProtectSystem = "strict";
ProtectHome = if isProtected cfg.server.passwordFile then "read-only" else "true" ;
PrivateTmp = true;
ReadWritePaths = "/dev/net/tun";
PrivateDevices = false;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
# Caps
NoNewPrivileges = true;
# Misc.
LockPersonality = true;
RestrictRealtime = true;
PrivateMounts = true;
MemoryDenyWriteExecute = true;
};
}; };
}; };