2019-08-19 20:44:10 +00:00
|
|
|
# See `man systemd.exec` and `man systemd.resource-control` for an explanation
|
|
|
|
# of the various systemd options available through this module.
|
|
|
|
|
2020-05-22 13:59:18 +00:00
|
|
|
lib: pkgs:
|
2019-04-27 23:53:26 +00:00
|
|
|
|
|
|
|
with lib;
|
2020-09-08 12:25:33 +00:00
|
|
|
let self = {
|
2020-05-06 08:57:48 +00:00
|
|
|
# These settings roughly follow systemd's "strict" security profile
|
2019-04-27 19:21:45 +00:00
|
|
|
defaultHardening = {
|
|
|
|
PrivateTmp = "true";
|
2020-05-05 15:15:16 +00:00
|
|
|
ProtectSystem = "strict";
|
2019-04-27 22:27:25 +00:00
|
|
|
ProtectHome = "true";
|
2019-04-27 19:21:45 +00:00
|
|
|
NoNewPrivileges = "true";
|
|
|
|
PrivateDevices = "true";
|
|
|
|
MemoryDenyWriteExecute = "true";
|
2019-04-27 22:27:25 +00:00
|
|
|
ProtectKernelTunables = "true";
|
|
|
|
ProtectKernelModules = "true";
|
|
|
|
ProtectControlGroups = "true";
|
|
|
|
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
|
2019-04-28 13:11:27 +00:00
|
|
|
RestrictNamespaces = "true";
|
2019-04-27 22:27:25 +00:00
|
|
|
LockPersonality = "true";
|
2019-04-27 23:53:26 +00:00
|
|
|
IPAddressDeny = "any";
|
2020-05-06 08:28:00 +00:00
|
|
|
PrivateUsers = "true";
|
2020-05-06 08:19:14 +00:00
|
|
|
RestrictSUIDSGID = "true";
|
|
|
|
RemoveIPC = "true";
|
|
|
|
RestrictRealtime = "true";
|
|
|
|
ProtectHostname = "true";
|
2020-05-05 13:27:07 +00:00
|
|
|
CapabilityBoundingSet = "";
|
2020-05-06 08:57:48 +00:00
|
|
|
# @system-service whitelist and docker seccomp blacklist (except for "clone"
|
|
|
|
# which is a core requirement for systemd services)
|
|
|
|
SystemCallFilter = [ "@system-service" "~add_key clone3 get_mempolicy kcmp keyctl mbind move_pages name_to_handle_at personality process_vm_readv process_vm_writev request_key set_mempolicy setns unshare userfaultfd" ];
|
2019-05-01 08:20:31 +00:00
|
|
|
SystemCallArchitectures= "native";
|
2019-04-27 19:21:45 +00:00
|
|
|
};
|
2019-11-27 13:04:22 +00:00
|
|
|
|
2019-05-03 10:44:16 +00:00
|
|
|
# nodejs applications apparently rely on memory write execute
|
|
|
|
nodejs = { MemoryDenyWriteExecute = "false"; };
|
2019-04-27 23:53:26 +00:00
|
|
|
# Allow tor traffic. Allow takes precedence over Deny.
|
2019-04-28 18:54:13 +00:00
|
|
|
allowTor = {
|
2020-05-29 10:53:35 +00:00
|
|
|
IPAddressAllow = "127.0.0.1/32 ::1/128 169.254.0.0/16";
|
2019-04-28 18:54:13 +00:00
|
|
|
};
|
2019-04-27 23:53:26 +00:00
|
|
|
# Allow any traffic
|
|
|
|
allowAnyIP = { IPAddressAllow = "any"; };
|
2019-08-19 21:11:08 +00:00
|
|
|
allowAnyProtocol = { RestrictAddressFamilies = "~"; };
|
2019-04-27 23:53:26 +00:00
|
|
|
|
2019-08-07 12:52:34 +00:00
|
|
|
enforceTor = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = false;
|
|
|
|
description = ''
|
|
|
|
"Whether to force Tor on a service by only allowing connections from and
|
|
|
|
to 127.0.0.1;";
|
|
|
|
'';
|
|
|
|
};
|
2020-05-22 13:59:18 +00:00
|
|
|
|
|
|
|
script = src: pkgs.writers.writeBash "script" ''
|
|
|
|
set -eo pipefail
|
|
|
|
${src}
|
|
|
|
'';
|
2020-08-21 20:36:00 +00:00
|
|
|
|
2020-09-08 12:25:33 +00:00
|
|
|
# Used for ExecStart*
|
|
|
|
privileged = src: "+${self.script src}";
|
|
|
|
|
2020-08-21 20:36:00 +00:00
|
|
|
cliExec = mkOption {
|
|
|
|
# Used by netns-isolation to execute the cli in the service's private netns
|
|
|
|
internal = true;
|
|
|
|
type = types.str;
|
|
|
|
default = "exec";
|
|
|
|
};
|
2020-09-08 12:25:33 +00:00
|
|
|
}; in self
|