ilyakooo0/nixpkgs
1
0
Fork 0
mirror of https://github.com/ilyakooo0/nixpkgs.git synced 2025-01-06 21:42:35 +03:00
Code Issues Projects Releases Wiki Activity

nixos/nebula: harden systemd unit

Browse Source
This commit is contained in:
Morgan Jones 2022-12-29 13:57:17 -08:00
parent 9d649fd78c
commit e99f342f11
1 changed files with 22 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
nixos/modules/services/networking/nebula.nix
View File

@ -204,8 +204,27 @@ in
Type = "simple";
Restart = "always";
ExecStart = "${netCfg.package}/bin/nebula -config ${configFile}";
UMask = "0027";
CapabilityBoundingSet = "CAP_NET_ADMIN";
AmbientCapabilities = "CAP_NET_ADMIN";
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = false; # needs access to /dev/net/tun (below)
DeviceAllow = "/dev/net/tun rw";
DevicePolicy = "closed";
PrivateTmp = true;
PrivateUsers = false; # CapabilityBoundingSet needs to apply to the host namespace
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RestrictNamespaces = true;
RestrictSUIDSGID = true;
User = networkId;
Group = networkId;
};
@ -227,6 +246,8 @@ in
};
}) enabledNetworks);
users.groups = mkMerge (mapAttrsToList (netName: netCfg: { ${nameToId netName} = {}; }) enabledNetworks);
users.groups = mkMerge (mapAttrsToList (netName: netCfg: {
${nameToId netName} = {};
}) enabledNetworks);
};
}