Merge pull request #75384 from Izorkin/nginx-unit
nixos/unit: enable sanboxing
This commit is contained in:
Florian Klink
GitHub
commit
2a38b91cc4
|
|
@ -85,7 +85,7 @@ in {
|
||||||
systemd.tmpfiles.rules = [
|
systemd.tmpfiles.rules = [
|
||||||
"d '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -"
|
"d '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -"
|
||||||
"d '${cfg.logDir}' 0750 ${cfg.user} ${cfg.group} - -"
|
"d '${cfg.logDir}' 0750 ${cfg.user} ${cfg.group} - -"
|
||||||
];
|
];
|
||||||
|
|
||||||
systemd.services.unit = {
|
systemd.services.unit = {
|
||||||
description = "Unit App Server";
|
description = "Unit App Server";
|
||||||
|
|
@ -93,23 +93,39 @@ in {
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
path = with pkgs; [ curl ];
|
path = with pkgs; [ curl ];
|
||||||
preStart = ''
|
preStart = ''
|
||||||
test -f '/run/unit/control.unit.sock' || rm -f '/run/unit/control.unit.sock'
|
test -f '${cfg.stateDir}/conf.json' || rm -f '${cfg.stateDir}/conf.json'
|
||||||
'';
|
'';
|
||||||
postStart = ''
|
postStart = ''
|
||||||
curl -X PUT --data-binary '@${configFile}' --unix-socket '/run/unit/control.unit.sock' 'http://localhost/config'
|
curl -X PUT --data-binary '@${configFile}' --unix-socket '/run/unit/control.unit.sock' 'http://localhost/config'
|
||||||
'';
|
'';
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
User = cfg.user;
|
|
||||||
Group = cfg.group;
|
|
||||||
AmbientCapabilities = "CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID";
|
|
||||||
CapabilityBoundingSet = "CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID";
|
|
||||||
ExecStart = ''
|
ExecStart = ''
|
||||||
${cfg.package}/bin/unitd --control 'unix:/run/unit/control.unit.sock' --pid '/run/unit/unit.pid' \
|
${cfg.package}/bin/unitd --control 'unix:/run/unit/control.unit.sock' --pid '/run/unit/unit.pid' \
|
||||||
--log '${cfg.logDir}/unit.log' --state '${cfg.stateDir}' --no-daemon \
|
--log '${cfg.logDir}/unit.log' --state '${cfg.stateDir}' --no-daemon \
|
||||||
--user ${cfg.user} --group ${cfg.group}
|
--user ${cfg.user} --group ${cfg.group}
|
||||||
'';
|
'';
|
||||||
|
# User and group
|
||||||
|
User = cfg.user;
|
||||||
|
Group = cfg.group;
|
||||||
|
# Capabilities
|
||||||
|
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ];
|
||||||
|
# Security
|
||||||
|
NoNewPrivileges = true;
|
||||||
|
# Sanboxing
|
||||||
|
ProtectSystem = "full";
|
||||||
|
ProtectHome = true;
|
||||||
RuntimeDirectory = "unit";
|
RuntimeDirectory = "unit";
|
||||||
RuntimeDirectoryMode = "0750";
|
RuntimeDirectoryMode = "0750";
|
||||||
|
PrivateTmp = true;
|
||||||
|
PrivateDevices = true;
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
LockPersonality = true;
|
||||||
|
MemoryDenyWriteExecute = true;
|
||||||
|
RestrictRealtime = true;
|
||||||
|
PrivateMounts = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue