pyrox.dev / nixpkgs
lol
fork atom

nixos/radicale: harden systemd unit

Robert Schütz 762be5c8 022c5b09

options
unified split
Changed files
+51 -8
nixos
doc
manual
release-notes
rl-2105.xml
modules
services
networking
radicale.nix
tests
radicale.nix
+7
nixos/doc/manual/release-notes/rl-2105.xml 
···

       
721

       
721

       
 

       
     automatically based on <option>system.stateVersion</option>, the latest


     

       
722

       
722

       
 

       
     version is always used because old versions are not officially supported.


     

       
723

       
723

       
 

       
    </para>


     

       

       
724

       
+

       
    <para>


     

       

       
725

       
+

       
     Furthermore, Radicale's systemd unit was hardened which might break some


     

       

       
726

       
+

       
     deployments.  In particular, a non-default


     

       

       
727

       
+

       
     <literal>filesystem_folder</literal> has to be added to


     

       

       
728

       
+

       
     <option>systemd.services.radicale.serviceConfig.ReadWritePaths</option> if


     

       

       
729

       
+

       
     the deprecated <option>services.radicale.config</option> is used.


     

       

       
730

       
+

       
    </para>


     

       
724

       
731

       
 

       
   </listitem>


     

       
725

       
732

       
 

       
  </itemizedlist>


     

       
726

       
733

       
 

       
 </section>
+39 -8
nixos/modules/services/networking/radicale.nix 
···

       
21

       
21

       
 

       



     

       
22

       
22

       
 

       
  rightsFile = format.generate "radicale.rights" cfg.rights;


     

       
23

       
23

       
 

       



     

       

       
24

       
+

       
  bindLocalhost = cfg.settings != { } && !hasAttrByPath [ "server" "hosts" ] cfg.settings;


     

       

       
25

       
+

       



     

       
24

       
26

       
 

       
in {


     

       
25

       
27

       
 

       
  options.services.radicale = {


     

       
26

       
28

       
 

       
    enable = mkEnableOption "Radicale CalDAV and CardDAV server";


     
···

       
138

       
140

       
 

       



     

       
139

       
141

       
 

       
    environment.systemPackages = [ pkg ];


     

       
140

       
142

       
 

       



     

       
141

       

       
-

       
    users.users.radicale =


     

       
142

       

       
-

       
      { uid = config.ids.uids.radicale;


     

       
143

       

       
-

       
        description = "radicale user";


     

       
144

       

       
-

       
        home = "/var/lib/radicale";


     

       
145

       

       
-

       
        createHome = true;


     

       
146

       

       
-

       
      };


     

       

       
143

       
+

       
    users.users.radicale.uid = config.ids.uids.radicale;


     

       
147

       
144

       
 

       



     

       
148

       

       
-

       
    users.groups.radicale =


     

       
149

       

       
-

       
      { gid = config.ids.gids.radicale; };


     

       

       
145

       
+

       
    users.groups.radicale.gid = config.ids.gids.radicale;


     

       
150

       
146

       
 

       



     

       
151

       
147

       
 

       
    systemd.services.radicale = {


     

       
152

       
148

       
 

       
      description = "A Simple Calendar and Contact Server";


     
···

       
161

       
157

       
 

       
        ));


     

       
162

       
158

       
 

       
        User = "radicale";


     

       
163

       
159

       
 

       
        Group = "radicale";


     

       

       
160

       
+

       
        StateDirectory = "radicale/collections";


     

       

       
161

       
+

       
        StateDirectoryMode = "0750";


     

       

       
162

       
+

       
        # Hardening


     

       

       
163

       
+

       
        CapabilityBoundingSet = [ "" ];


     

       

       
164

       
+

       
        DeviceAllow = [ "/dev/stdin" ];


     

       

       
165

       
+

       
        DevicePolicy = "strict";


     

       

       
166

       
+

       
        IPAddressAllow = mkIf bindLocalhost "localhost";


     

       

       
167

       
+

       
        IPAddressDeny = mkIf bindLocalhost "any";


     

       

       
168

       
+

       
        LockPersonality = true;


     

       

       
169

       
+

       
        MemoryDenyWriteExecute = true;


     

       

       
170

       
+

       
        NoNewPrivileges = true;


     

       

       
171

       
+

       
        PrivateDevices = true;


     

       

       
172

       
+

       
        PrivateTmp = true;


     

       

       
173

       
+

       
        PrivateUsers = true;


     

       

       
174

       
+

       
        ProcSubset = "pid";


     

       

       
175

       
+

       
        ProtectClock = true;


     

       

       
176

       
+

       
        ProtectControlGroups = true;


     

       

       
177

       
+

       
        ProtectHome = true;


     

       

       
178

       
+

       
        ProtectHostname = true;


     

       

       
179

       
+

       
        ProtectKernelLogs = true;


     

       

       
180

       
+

       
        ProtectKernelModules = true;


     

       

       
181

       
+

       
        ProtectKernelTunables = true;


     

       

       
182

       
+

       
        ProtectProc = "invisible";


     

       

       
183

       
+

       
        ProtectSystem = "strict";


     

       

       
184

       
+

       
        ReadWritePaths = lib.optional


     

       

       
185

       
+

       
          (hasAttrByPath [ "storage" "filesystem_folder" ] cfg.settings)


     

       

       
186

       
+

       
          cfg.settings.storage.filesystem_folder;


     

       

       
187

       
+

       
        RemoveIPC = true;


     

       

       
188

       
+

       
        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];


     

       

       
189

       
+

       
        RestrictNamespaces = true;


     

       

       
190

       
+

       
        RestrictRealtime = true;


     

       

       
191

       
+

       
        RestrictSUIDSGID = true;


     

       

       
192

       
+

       
        SystemCallArchitectures = "native";


     

       

       
193

       
+

       
        SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];


     

       

       
194

       
+

       
        UMask = "0027";


     

       
164

       
195

       
 

       
      };


     

       
165

       
196

       
 

       
    };


     

       
166

       
197

       
 

       
  };
+5
nixos/tests/radicale.nix 
···

       
86

       
86

       
 

       



     

       
87

       
87

       
 

       
    with subtest("Test web interface"):


     

       
88

       
88

       
 

       
        machine.succeed("curl --fail http://${user}:${password}@localhost:${port}/.web/")


     

       

       
89

       
+

       



     

       

       
90

       
+

       
    with subtest("Test security"):


     

       

       
91

       
+

       
        output = machine.succeed("systemd-analyze security radicale.service")


     

       

       
92

       
+

       
        machine.log(output)


     

       

       
93

       
+

       
        assert output[-9:-1] == "SAFE :-}"


     

       
89

       
94

       
 

       
  '';


     

       
90

       
95

       
 

       
})