removed rtorrent group as fixed in #285299

2025-06-12 04:35:41 +03:00 · 2024-07-22 01:00:28 +02:00 · 2024-07-22 01:00:28 +02:00 · 4575922a1f
commit 4575922a1f
parent 9abeee7aab
1 changed files with 28 additions and 10 deletions
--- a/nixos/modules/services/torrent/rtorrent.nix
+++ b/nixos/modules/services/torrent/rtorrent.nix
@ -8,6 +8,8 @@ let
  opt = options.services.rtorrent;

 in {
+  meta.maintainers = with lib.maintainers; [ thiagokokada ];
+
  options.services.rtorrent = {
    enable = mkEnableOption "rtorrent";

@ -80,14 +82,6 @@ in {
      '';
    };

-    rpcGroup = mkOption {
-      type = types.str;
-      default = "rtorrent";
-      description = ''
-        The group owning the RPC socket.
-      '';
-    };
-
    configText = mkOption {
      type = types.lines;
      default = "";
@ -188,7 +182,7 @@ in {

      # XMLRPC
      scgi_local = (cfg.rpcsock)
-      schedule = scgi_group,0,0,"execute.nothrow=chown,\":${cfg.rpcGroup}\",(cfg.rpcsock)"
+      schedule = scgi_group,0,0,"execute.nothrow=chown,\":${cfg.group}\",(cfg.rpcsock)"
      schedule = scgi_permission,0,0,"execute.nothrow=chmod,\"g+w,o=\",(cfg.rpcsock)"
    '';

@ -210,7 +204,31 @@ in {
            ExecStartPre=''${pkgs.bash}/bin/bash -c "if test -e ${cfg.dataDir}/session/rtorrent.lock && test -z $(${pkgs.procps}/bin/pidof rtorrent); then rm -f ${cfg.dataDir}/session/rtorrent.lock; fi"'';
            ExecStart="${cfg.package}/bin/rtorrent -n -o system.daemon.set=true -o import=${rtorrentConfigFile}";
            RuntimeDirectory = "rtorrent";
-            RuntimeDirectoryMode = 755;
+            RuntimeDirectoryMode = 750;
+
+            CapabilityBoundingSet = [ "" ];
+            LockPersonality = true;
+            NoNewPrivileges = true;
+            PrivateDevices = true;
+            PrivateTmp = true;
+            ProtectClock = true;
+            ProtectControlGroups = true;
+            # If the default user is changed, there is a good chance that they
+            # want to store data in e.g.: $HOME directory
+            # Relax hardening in this case
+            ProtectHome = lib.mkIf (cfg.user == "rtorrent") true;
+            ProtectHostname = true;
+            ProtectKernelLogs = true;
+            ProtectKernelModules = true;
+            ProtectKernelTunables = true;
+            ProtectProc = "invisible";
+            ProtectSystem = "full";
+            RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
+            RestrictNamespaces = true;
+            RestrictRealtime = true;
+            RestrictSUIDSGID = true;
+            SystemCallArchitectures = "native";
+            SystemCallFilter = [ "@system-service" "~@privileged" ];
          };
        };
      };