From 141ab30fc156e1ff9b6d6d8f48ead80bdaa7e65d Mon Sep 17 00:00:00 2001 From: Vika Date: Thu, 15 Jun 2023 15:44:52 +0300 Subject: configuration.nix: harden unit file and make docs Markdown --- configuration.nix | 58 ++++++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 47 insertions(+), 11 deletions(-) diff --git a/configuration.nix b/configuration.nix index 239243f..b3b7ada 100644 --- a/configuration.nix +++ b/configuration.nix @@ -42,25 +42,26 @@ in { type = types.str; default = "file:///var/lib/kittybox/data"; example = "redis://192.168.1.200:6379"; - description = '' + description = lib.mdDoc '' Set the backend used for storing data. Available backends are: - - file:// - static folder backend (recommended) - - redis:// - Redis backend (currently unavailable) + - `file://` - static folder backend (recommended) + - `redis://` - Redis backend (currently unavailable) Make sure that if you are using the file backend, the state directory is accessible by Kittybox. By default, the unit config - uses DynamicUser=true, which prevents the unit from accessing - data outside of its directory. It is recommended to reconfigure - the sandboxing or use a bind-mount to /var/lib/private/kittybox - if you require the state directory to reside elsewhere. + uses DynamicUser=true and heavy sandboxing options which prevent + the unit from accessing data outside of its directory. It is + recommended to reconfigure the sandboxing or use a bind-mount to + `/var/lib/private/kittybox` if you require the state directory to + reside elsewhere. ''; }; blobstoreUri = mkOption { type = types.nullOr types.str; default = "file:///var/lib/kittybox/media"; - description = '' + description = lib.mdDoc '' Set the backend used for the media endpoint storage. Available options are: - - file:// - content-addressed storage using flat files (recommended) + - `file://` - content-addressed storage using flat files (recommended) When using the file backend, check notes in the `backendUri` option too. ''; @@ -68,9 +69,9 @@ in { authstoreUri = mkOption { type = types.nullOr types.str; default = "file:///var/lib/kittybox/auth"; - description = '' + description = lib.mdDoc '' Set the backend used for persisting authentication data. Available options are: - - file:// - flat files. Codes are stored globally, tokens and + - `file://` - flat files. Codes are stored globally, tokens and credentials are stored per-site. ''; }; @@ -153,6 +154,41 @@ in { serviceConfig = { DynamicUser = true; StateDirectory = "kittybox"; + # Hardening + NoNewPrivileges = true; + CapabilityBoundingSet = ""; + ProtectSystem = "strict"; + ProtectHome = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RemoveIPC = true; + ProtectProc = "invisible"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@aio" + "@basic-io" + "@file-system" + "@io-event" + "@network-io" + "@sync" + "@system-service" + "~@resources" + "~@privileged" + ]; + PrivateDevices = true; + DeviceAllow = [ "" ]; + UMask = "0077"; + IPAddressDeny = [ "link-local" "multicast" ]; }; }; }; -- cgit 1.4.1