···
# apparently needs proc for workers management
"CRYPTPAD_CONFIG=${cryptpadConfigFile}"
ExecStart = lib.getExe cfg.package;
StateDirectory = "cryptpad";
WorkingDirectory = "%S/cryptpad";
+
# security way too many numerous options, from the systemd-analyze security output
+
# at end of test: block everything except
+
# - SystemCallFiters=@resources is required for node
+
# - MemoryDenyWriteExecute for node JIT
+
# - RestrictAddressFamilies=~AF_(INET|INET6) / PrivateNetwork to bind to sockets
+
# - IPAddressDeny likewise allow localhost if binding to localhost or any otherwise
+
# - PrivateUsers somehow service doesn't start with that
+
# - DeviceAllow (char-rtc r added by ProtectClock)
+
AmbientCapabilities = "";
+
CapabilityBoundingSet = "";
+
LockPersonality = true;
+
NoNewPrivileges = true;
+
ProtectControlGroups = true;
+
ProtectHostname = true;
+
ProtectKernelLogs = true;
+
ProtectKernelModules = true;
+
ProtectKernelTunables = true;
+
ProtectProc = "invisible";
+
ProtectSystem = "strict";
+
RestrictAddressFamilies = [
+
RestrictNamespaces = true;
+
RestrictRealtime = true;
+
RestrictSUIDSGID = true;
+
RuntimeDirectoryMode = "700";
+
"tcp:${builtins.toString cfg.settings.httpPort}"
+
"tcp:${builtins.toString cfg.settings.websocketPort}"
+
SocketBindDeny = [ "any" ];
+
StateDirectoryMode = "0700";
+
SystemCallArchitectures = "native";
···
+
# block external network access if not phoning home and
+
# binding to localhost (default)
+
cfg.settings.blockDailyCheck
+
&& (builtins.elem cfg.settings.httpAddress [
+
systemd.services.cryptpad = {
+
IPAddressAllow = [ "localhost" ];
+
IPAddressDeny = [ "any" ];
+
# .. conversely allow DNS & TLS if telemetry is explicitly enabled
+
(mkIf (!cfg.settings.blockDailyCheck) {
+
systemd.services.cryptpad = {
+
"/etc/ssl/certs/ca-certificates.crt"
(mkIf cfg.configureNginx {
pyrox.dev