nixos/acme: harden systemd units

2021-05-16 18:27:10 +02:00 · 2021-05-16 18:27:10 +02:00 · 7a10478ea7
commit 7a10478ea7
parent dc940ecdb3
1 changed files with 44 additions and 8 deletions
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@ -21,15 +21,51 @@ let
  # The Group can vary depending on what the user has specified in
  # security.acme.certs.<cert>.group on some of the services.
  commonServiceConfig = {
-      Type = "oneshot";
+    Type = "oneshot";
-      User = "acme";
+    User = "acme";
-      Group = mkDefault "acme";
+    Group = mkDefault "acme";
-      UMask = 0022;
+    UMask = 0022;
-      StateDirectoryMode = 750;
+    StateDirectoryMode = 750;
-      ProtectSystem = "full";
+    ProtectSystem = "strict";
-      PrivateTmp = true;
+    ReadWritePaths = [
      "/var/lib/acme"
    ];
    PrivateTmp = true;
-      WorkingDirectory = "/tmp";
+    WorkingDirectory = "/tmp";
    CapabilityBoundingSet = [ "" ];
    DevicePolicy = "closed";
    LockPersonality = true;
    MemoryDenyWriteExecute = true;
    NoNewPrivileges = true;
    PrivateDevices = true;
    ProtectClock = true;
    ProtectHome = true;
    ProtectHostname = true;
    ProtectControlGroups = true;
    ProtectKernelLogs = true;
    ProtectKernelModules = true;
    ProtectKernelTunables = true;
    ProtectProc = "invisible";
    ProcSubset = "pid";
    RemoveIPC = true;
    RestrictAddressFamilies = [
      "AF_INET"
      "AF_INET6"
    ];
    RestrictNamespaces = true;
    RestrictRealtime = true;
    RestrictSUIDSGID = true;
    SystemCallArchitectures = "native";
    SystemCallFilter = [
      # 1. allow a reasonable set of syscalls
      "@system-service"
      # 2. and deny unreasonable ones
      "~@privileged @resources"
      # 3. then allow the required subset within denied groups
      "@chown"
    ];
  };
  # In order to avoid race conditions creating the CA for selfsigned certs,