movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-15 14:09:17 +03:00
Code Issues Projects Releases Packages Wiki Activity

nixos/nebula: harden systemd unit

Browse source
This commit is contained in:
Morgan Jones 2022-12-29 13:57:17 -08:00
parent 9d649fd78c
commit e99f342f11
1 changed files with 22 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

23
nixos/modules/services/networking/nebula.nix
View file

@ -204,8 +204,27 @@ in
Type = "simple"; Type = "simple";
Restart = "always"; Restart = "always";
ExecStart = "${netCfg.package}/bin/nebula -config ${configFile}"; ExecStart = "${netCfg.package}/bin/nebula -config ${configFile}";
UMask = "0027";
CapabilityBoundingSet = "CAP_NET_ADMIN"; CapabilityBoundingSet = "CAP_NET_ADMIN";
AmbientCapabilities = "CAP_NET_ADMIN"; AmbientCapabilities = "CAP_NET_ADMIN";
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = false; # needs access to /dev/net/tun (below)
DeviceAllow = "/dev/net/tun rw";
DevicePolicy = "closed";
PrivateTmp = true;
PrivateUsers = false; # CapabilityBoundingSet needs to apply to the host namespace
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RestrictNamespaces = true;
RestrictSUIDSGID = true;
User = networkId; User = networkId;
Group = networkId; Group = networkId;
}; };
@ -227,6 +246,8 @@ in
}; };
}) enabledNetworks); }) enabledNetworks);
users.groups = mkMerge (mapAttrsToList (netName: netCfg: { ${nameToId netName} = {}; }) enabledNetworks); users.groups = mkMerge (mapAttrsToList (netName: netCfg: {
${nameToId netName} = {};
}) enabledNetworks);
}; };
} }