Fachschaft/nixConfig
5
2
Fork 2
Code Issues 7 Pull requests Projects 1 Wiki Activity

Restrict HRZ allowlist update service privileges

Browse source
This commit is contained in:
Gonne 2024-04-04 17:13:12 +02:00
parent 45a20b7f52
commit 4b684bc1e6
2 changed files with 22 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
nixos/machines/lobon/configuration.nix
View file

@ -28,8 +28,8 @@
}; };
backupKey = { backupKey = {
sopsFile = ./backupKey.yaml; sopsFile = ./backupKey.yaml;
owner = "root"; owner = "mailman";
group = "root"; group = "mailman";
mode = "0400"; mode = "0400";
}; };
}; };

22
nixos/modules/mailman.nix
View file

@ -93,7 +93,25 @@ in {
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
User = "mailman"; User = "mailman";
NoNewPrivileges = true;
# See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html
PrivateTmp = true; PrivateTmp = true;
ProtectHome = true;
ReadOnlyPaths = "/";
ReadWritePaths = "/tmp";
InaccessiblePaths = "-/lost+found";
PrivateDevices = true;
PrivateUsers = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
}; };
}; };
@ -113,8 +131,8 @@ in {
}; };
repo = "borg@192.168.1.11:lobon"; # TODO for https://gitea.mathebau.de/Fachschaft/nixConfig/issues/33 repo = "borg@192.168.1.11:lobon"; # TODO for https://gitea.mathebau.de/Fachschaft/nixConfig/issues/33
startAt = "daily"; startAt = "daily";
user = "root"; user = "mailman";
group = "root"; group = "mailman";
}; };
}; };
} }