commit 00a91d919d6f6cdaecc67a894f372a4195fea9da · pyrox.dev/nixpkgs

+38
nixos/modules/services/networking/iodine.nix
···

       9
       9
        
       

     

       10
       10
        
         iodinedUser = "iodined";

     

       11
       11
        
       

     

       12
       12
       +
         /* is this path made unreadable by ProtectHome = true ? */

     

       13
       13
       +
         isProtected = x: hasPrefix "/root" x || hasPrefix "/home" x;

     

       12
       14
        
       in

     

       13
       15
        
       {

     

       14
       16
        
         imports = [

     
···

       134
       136
        
                   serviceConfig = {

     

       135
       137
        
                     RestartSec = "30s";

     

       136
       138
        
                     Restart = "always";

     

       139
       139
       +
       

     

       140
       140
       +
                     # hardening :

     

       141
       141
       +
                     # Filesystem access

     

       142
       142
       +
                     ProtectSystem = "strict";

     

       143
       143
       +
                     ProtectHome = if isProtected cfg.passwordFile then "read-only" else "true" ;

     

       144
       144
       +
                     PrivateTmp = true;

     

       145
       145
       +
                     ReadWritePaths = "/dev/net/tun";

     

       146
       146
       +
                     PrivateDevices = false;

     

       147
       147
       +
                     ProtectKernelTunables = true;

     

       148
       148
       +
                     ProtectKernelModules = true;

     

       149
       149
       +
                     ProtectControlGroups = true;

     

       150
       150
       +
                     # Caps

     

       151
       151
       +
                     NoNewPrivileges = true;

     

       152
       152
       +
                     # Misc.

     

       153
       153
       +
                     LockPersonality = true;

     

       154
       154
       +
                     RestrictRealtime = true;

     

       155
       155
       +
                     PrivateMounts = true;

     

       156
       156
       +
                     MemoryDenyWriteExecute = true;

     

       137
       157
        
                   };

     

       138
       158
        
                 };

     

       139
       159
        
             in

     
···

       147
       167
        
                   after = [ "network.target" ];

     

       148
       168
        
                   wantedBy = [ "multi-user.target" ];

     

       149
       169
        
                   script = "exec ${pkgs.iodine}/bin/iodined -f -u ${iodinedUser} ${cfg.server.extraConfig} ${optionalString (cfg.server.passwordFile != "") "< \"${cfg.server.passwordFile}\""} ${cfg.server.ip} ${cfg.server.domain}";

     

       170
       170
       +
                   serviceConfig = {

     

       171
       171
       +
                     # Filesystem access

     

       172
       172
       +
                     ProtectSystem = "strict";

     

       173
       173
       +
                     ProtectHome = if isProtected cfg.server.passwordFile then "read-only" else "true" ;

     

       174
       174
       +
                     PrivateTmp = true;

     

       175
       175
       +
                     ReadWritePaths = "/dev/net/tun";

     

       176
       176
       +
                     PrivateDevices = false;

     

       177
       177
       +
                     ProtectKernelTunables = true;

     

       178
       178
       +
                     ProtectKernelModules = true;

     

       179
       179
       +
                     ProtectControlGroups = true;

     

       180
       180
       +
                     # Caps

     

       181
       181
       +
                     NoNewPrivileges = true;

     

       182
       182
       +
                     # Misc.

     

       183
       183
       +
                     LockPersonality = true;

     

       184
       184
       +
                     RestrictRealtime = true;

     

       185
       185
       +
                     PrivateMounts = true;

     

       186
       186
       +
                     MemoryDenyWriteExecute = true;

     

       187
       187
       +
                   };

     

       150
       188
        
                 };

     

       151
       189
        
               };

     

       152
       190