public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/factorio: sandbox service using systemd

Browse Source 
- DynamicUser enabled instead of static uid/gid
- Enables most sandboxing options systemd offers
This commit is contained in:
nyanloutre 2019-05-01 21:56:58 +02:00
parent bc9df0f661
commit 85b3448e6a
2 changed files with 23 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
nixos/modules/misc/ids.nix
View File

@ -265,7 +265,7 @@
syncthing = 237; syncthing = 237;
caddy = 239; caddy = 239;
taskd = 240; taskd = 240;
factorio = 241; # factorio = 241; # DynamicUser = true
# emby = 242; # unusued, removed 2019-05-01 # emby = 242; # unusued, removed 2019-05-01
graylog = 243; graylog = 243;
sniproxy = 244; sniproxy = 244;
@ -567,7 +567,7 @@
syncthing = 237; syncthing = 237;
caddy = 239; caddy = 239;
taskd = 240; taskd = 240;
factorio = 241; # factorio = 241; # unused
# emby = 242; # unused, removed 2019-05-01 # emby = 242; # unused, removed 2019-05-01
sniproxy = 244; sniproxy = 244;
nzbget = 245; nzbget = 245;

44
nixos/modules/services/games/factorio.nix
View File

@ -6,7 +6,7 @@ let
cfg = config.services.factorio; cfg = config.services.factorio;
factorio = pkgs.factorio-headless; factorio = pkgs.factorio-headless;
name = "Factorio"; name = "Factorio";
stateDir = cfg.stateDir; stateDir = "/var/lib/${cfg.stateDirName}";
mkSavePath = name: "${stateDir}/saves/${name}.zip"; mkSavePath = name: "${stateDir}/saves/${name}.zip";
configFile = pkgs.writeText "factorio.conf" '' configFile = pkgs.writeText "factorio.conf" ''
use-system-read-write-data-directories=true use-system-read-write-data-directories=true
@ -80,11 +80,11 @@ in
customizations. customizations.
''; '';
}; };
stateDir = mkOption { stateDirName = mkOption {
type = types.path; type = types.string;
default = "/var/lib/factorio"; default = "factorio";
description = '' description = ''
The server's data directory. Name of the directory under /var/lib holding the server's data.
The configuration and map will be stored here. The configuration and map will be stored here.
''; '';
@ -176,20 +176,6 @@ in
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
users = {
users.factorio = {
uid = config.ids.uids.factorio;
description = "Factorio server user";
group = "factorio";
home = stateDir;
createHome = true;
};
groups.factorio = {
gid = config.ids.gids.factorio;
};
};
systemd.services.factorio = { systemd.services.factorio = {
description = "Factorio headless server"; description = "Factorio headless server";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
@ -205,12 +191,10 @@ in
]; ];
serviceConfig = { serviceConfig = {
User = "factorio";
Group = "factorio";
Restart = "always"; Restart = "always";
KillSignal = "SIGINT"; KillSignal = "SIGINT";
WorkingDirectory = stateDir; DynamicUser = true;
PrivateTmp = true; StateDirectory = cfg.stateDirName;
UMask = "0007"; UMask = "0007";
ExecStart = toString [ ExecStart = toString [
"${factorio}/bin/factorio" "${factorio}/bin/factorio"
@ -220,6 +204,20 @@ in
"--server-settings=${serverSettingsFile}" "--server-settings=${serverSettingsFile}"
(optionalString (cfg.mods != []) "--mod-directory=${modDir}") (optionalString (cfg.mods != []) "--mod-directory=${modDir}")
]; ];
# Sandboxing
NoNewPrivileges = true;
PrivateTmp = true;
PrivateDevices = true;
ProtectSystem = "strict";
ProtectHome = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ];
RestrictRealtime = true;
RestrictNamespaces = true;
MemoryDenyWriteExecute = true;
}; };
}; };