robin/palantir
1
0
Fork 0
mirror of https://codeberg.org/icewind/palantir.git synced 2026-06-03 18:24:08 +02:00
Code Issues Projects Releases Wiki Activity

lockdown nix service

Browse source
This commit is contained in:
Robin Appelman 2022-08-02 18:11:54 +02:00
commit eaeabfa712
1 changed files with 21 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

29
flake.nix
View file

@ -97,13 +97,7 @@
networking.firewall.allowedTCPPorts = lib.optional cfg.openPort cfg.port;
networking.firewall.allowedUDPPorts = lib.optional cfg.openMDNSPort 5353;
users.groups.palantir = {};
users.groups.powermonitoring = {};
users.users.palantir = {
isSystemUser = true;
group = "palantir";
extraGroups = ["powermonitoring"] ++ lib.optional cfg.docker "docker";
};
services.udev.packages = [self.defaultPackage.${pkgs.system}];
@ -121,11 +115,30 @@
in {
Restart = "on-failure";
ExecStart = "${pkg}/bin/palantir";
User = "palantir";
DynamicUser = true;
PrivateTmp = true;
ProtectSystem = "full";
PrivateUsers = true;
ProtectSystem = "strict";
ProtectHome = true;
NoNewPrivileges = true;
ProtectClock = true;
CapabilityBoundingSet = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
SystemCallArchitectures = "native";
ProtectKernelModules = true;
RestrictNamespaces = true;
MemoryDenyWriteExecute = true;
ProtectHostname = true;
LockPersonality = true;
ProtectKernelTunables = true;
DevicePolicy = "closed";
RestrictAddressFamilies = ["AF_INET" "AF_INET6" "AF_NETLINK"] ++ lib.optional cfg.docker "AF_UNIX"; # netlink is required to make `getifaddrs` not err
RestrictRealtime = true;
SystemCallFilter = ["@system-service" "~@resources" "~@privileged"];
IPAddressAllow = ["localhost"] ++ lib.optional cfg.mdns "multicast";
UMask = "0077";
SupplementaryGroups = ["powermonitoring"] ++ lib.optional cfg.docker "docker";
};
};
};