pyrox.dev / nixpkgs
lol
fork atom

nixos/vaultwarden: relax hardening when using sendmail

Sandro Jäckel 232e7b6d 0b9ee9c2

options
unified split
Changed files
+11 -7
nixos
modules
services
security
vaultwarden
default.nix
+11 -7
nixos/modules/services/security/vaultwarden/default.nix 
···

       
65

       
65

       
 

       



     

       
66

       
66

       
 

       
  vaultwarden = cfg.package.override { inherit (cfg) dbBackend; };


     

       
67

       
67

       
 

       



     

       

       
68

       
+

       
  useSendmail = configEnv.USE_SENDMAIL or null == "true";


     

       
68

       
69

       
 

       
in


     

       
69

       
70

       
 

       
{


     

       
70

       
71

       
 

       
  imports = [


     
···

       
236

       
237

       
 

       
        DevicePolicy = "closed";


     

       
237

       
238

       
 

       
        LockPersonality = true;


     

       
238

       
239

       
 

       
        MemoryDenyWriteExecute = true;


     

       
239

       

       
-

       
        NoNewPrivileges = true;


     

       
240

       

       
-

       
        PrivateDevices = true;


     

       

       
240

       
+

       
        NoNewPrivileges = !useSendmail;


     

       

       
241

       
+

       
        PrivateDevices = !useSendmail;


     

       
241

       
242

       
 

       
        PrivateTmp = true;


     

       
242

       

       
-

       
        PrivateUsers = true;


     

       

       
243

       
+

       
        PrivateUsers = !useSendmail;


     

       
243

       
244

       
 

       
        ProcSubset = "pid";


     

       
244

       
245

       
 

       
        ProtectClock = true;


     

       
245

       
246

       
 

       
        ProtectControlGroups = true;


     
···

       
262

       
263

       
 

       
        inherit StateDirectory;


     

       
263

       
264

       
 

       
        StateDirectoryMode = "0700";


     

       
264

       
265

       
 

       
        SystemCallArchitectures = "native";


     

       
265

       

       
-

       
        SystemCallFilter = [


     

       
266

       

       
-

       
          "@system-service"


     

       
267

       

       
-

       
          "~@privileged"


     

       
268

       

       
-

       
        ];


     

       

       
266

       
+

       
        SystemCallFilter =


     

       

       
267

       
+

       
          [


     

       

       
268

       
+

       
            "@system-service"


     

       

       
269

       
+

       
          ]


     

       

       
270

       
+

       
          ++ lib.optionals (!useSendmail) [


     

       

       
271

       
+

       
            "~@privileged"


     

       

       
272

       
+

       
          ];


     

       
269

       
273

       
 

       
        Restart = "always";


     

       
270

       
274

       
 

       
        UMask = "0077";


     

       
271

       
275

       
 

       
      };