about summary refs log tree commit diff
path: root/configuration.nix
diff options
context:
space:
mode:
authorVika <vika@fireburn.ru>2023-06-15 15:44:52 +0300
committerVika <vika@fireburn.ru>2023-06-15 15:44:52 +0300
commit141ab30fc156e1ff9b6d6d8f48ead80bdaa7e65d (patch)
treeb18a50c8775a19c7d164082c1be383c70e27db28 /configuration.nix
parent06e27ddee1d090086c4b2b01cbbfec928a9264bc (diff)
downloadkittybox-141ab30fc156e1ff9b6d6d8f48ead80bdaa7e65d.tar.zst
configuration.nix: harden unit file and make docs Markdown
Diffstat (limited to 'configuration.nix')
-rw-r--r--configuration.nix58
1 files changed, 47 insertions, 11 deletions
diff --git a/configuration.nix b/configuration.nix
index 239243f..b3b7ada 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -42,25 +42,26 @@ in {
         type = types.str;
         default = "file:///var/lib/kittybox/data";
         example = "redis://192.168.1.200:6379";
-        description = ''
+        description = lib.mdDoc ''
           Set the backend used for storing data. Available backends are:
-           - file:// - static folder backend (recommended)
-           - redis:// - Redis backend (currently unavailable)
+           - `file://` - static folder backend (recommended)
+           - `redis://` - Redis backend (currently unavailable)
 
           Make sure that if you are using the file backend, the state
           directory is accessible by Kittybox. By default, the unit config
-          uses DynamicUser=true, which prevents the unit from accessing
-          data outside of its directory. It is recommended to reconfigure
-          the sandboxing or use a bind-mount to /var/lib/private/kittybox
-          if you require the state directory to reside elsewhere.
+          uses DynamicUser=true and heavy sandboxing options which prevent
+          the unit from accessing data outside of its directory. It is
+          recommended to reconfigure the sandboxing or use a bind-mount to
+          `/var/lib/private/kittybox` if you require the state directory to
+          reside elsewhere.
         '';
       };
       blobstoreUri = mkOption {
         type = types.nullOr types.str;
         default = "file:///var/lib/kittybox/media";
-        description = ''
+        description = lib.mdDoc ''
           Set the backend used for the media endpoint storage. Available options are:
-            - file:// - content-addressed storage using flat files (recommended)
+            - `file://` - content-addressed storage using flat files (recommended)
 
           When using the file backend, check notes in the `backendUri` option too.
         '';
@@ -68,9 +69,9 @@ in {
       authstoreUri = mkOption {
         type = types.nullOr types.str;
         default = "file:///var/lib/kittybox/auth";
-        description = ''
+        description = lib.mdDoc ''
           Set the backend used for persisting authentication data. Available options are:
-           - file:// - flat files. Codes are stored globally, tokens and
+           - `file://` - flat files. Codes are stored globally, tokens and
              credentials are stored per-site.
         '';
       };
@@ -153,6 +154,41 @@ in {
       serviceConfig = {
         DynamicUser = true;
         StateDirectory = "kittybox";
+        # Hardening
+        NoNewPrivileges = true;
+        CapabilityBoundingSet = "";
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectClock = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
+        RestrictNamespaces = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        RemoveIPC = true;
+        ProtectProc = "invisible";
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@aio"
+          "@basic-io"
+          "@file-system"
+          "@io-event"
+          "@network-io"
+          "@sync"
+          "@system-service"
+          "~@resources"
+          "~@privileged"
+        ];
+        PrivateDevices = true;
+        DeviceAllow = [ "" ];
+        UMask = "0077";
+        IPAddressDeny = [ "link-local" "multicast" ];
       };
     };
   };