From 061c913c366b339fd28b741ca2f56dacb64497f8 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Sat, 3 Apr 2021 23:00:48 +0300 Subject: [PATCH 1/2] nixos/redis: enable sandbox mode --- nixos/modules/services/databases/redis.nix | 26 ++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix index 3ddc7aad81e..24fe4ab3cc2 100644 --- a/nixos/modules/services/databases/redis.nix +++ b/nixos/modules/services/databases/redis.nix @@ -295,6 +295,32 @@ in StateDirectoryMode = "0700"; # Access write directories UMask = "0077"; + # Capabilities + CapabilityBoundingSet = ""; + # Security + NoNewPrivileges = true; + # Sandboxing + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateUsers = true; + ProtectClock = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + # System Call Filtering + SystemCallArchitectures = "native"; + SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @raw-io @reboot @resources @setuid @swap"; }; }; }; From e075aeb8c0113b3d91c63aa99b22dcb4ce5a0d81 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Mon, 12 Apr 2021 12:36:28 +0300 Subject: [PATCH 2/2] nixos/redis: add option maxclients --- nixos/modules/services/databases/redis.nix | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix index 24fe4ab3cc2..7ec10c0eb5a 100644 --- a/nixos/modules/services/databases/redis.nix +++ b/nixos/modules/services/databases/redis.nix @@ -5,6 +5,8 @@ with lib; let cfg = config.services.redis; + ulimitNofile = cfg.maxclients + 32; + mkValueString = value: if value == true then "yes" else if value == false then "no" @@ -14,8 +16,8 @@ let listsAsDuplicateKeys = true; mkKeyValue = generators.mkKeyValueDefault { inherit mkValueString; } " "; } cfg.settings); -in -{ + +in { imports = [ (mkRemovedOptionModule [ "services" "redis" "user" ] "The redis module now is hardcoded to the redis user.") (mkRemovedOptionModule [ "services" "redis" "dbpath" ] "The redis module now uses /var/lib/redis as data directory.") @@ -121,6 +123,12 @@ in description = "Set the number of databases."; }; + maxclients = mkOption { + type = types.int; + default = 10000; + description = "Set the max number of connected clients at the same time."; + }; + save = mkOption { type = with types; listOf (listOf int); default = [ [900 1] [300 10] [60 10000] ]; @@ -253,6 +261,7 @@ in logfile = cfg.logfile; syslog-enabled = cfg.syslog; databases = cfg.databases; + maxclients = cfg.maxclients; save = map (d: "${toString (builtins.elemAt d 0)} ${toString (builtins.elemAt d 1)}") cfg.save; dbfilename = "dump.rdb"; dir = "/var/lib/redis"; @@ -299,6 +308,8 @@ in CapabilityBoundingSet = ""; # Security NoNewPrivileges = true; + # Process Properties + LimitNOFILE = "${toString ulimitNofile}"; # Sandboxing ProtectSystem = "strict"; ProtectHome = true;