commit ddef00d3f0e4b4cb3b4449ccd6f8d9420b1efc5f · pyrox.dev/nixpkgs

+11 -6

nixos/modules/services/web-apps/zipline.nix

···

       107
        
               ExecStart = lib.getExe cfg.package;

     

       108
        
       

     

       109
        
               # Hardening

     

       0
        
       
     

       110
        
               CapabilityBoundingSet = [ "" ];

     

       111
       -
               DeviceAllow = [ "" ];

     

       112
        
               LockPersonality = true;

     

       0
        
       
     

       113
        
               PrivateDevices = true;

     

       114
        
               PrivateTmp = true;

     

       115
        
               PrivateUsers = true;

     
···

       123
        
               ProtectKernelTunables = true;

     

       124
        
               ProtectProc = "invisible";

     

       125
        
               ProtectSystem = "strict";

     

       126
       -
               RestrictAddressFamilies = [

     

       127
       -
                 "AF_INET"

     

       128
       -
                 "AF_INET6"

     

       129
       -
                 "AF_UNIX"

     

       130
       -
               ];

     

       131
        
               RestrictNamespaces = true;

     

       132
        
               RestrictRealtime = true;

     

       133
        
               RestrictSUIDSGID = true;

     

       134
        
               SystemCallArchitectures = "native";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       135
        
             };

     

       136
        
           };

     

       137
        
         };

···

       107
        
               ExecStart = lib.getExe cfg.package;

     

       108
        
       

     

       109
        
               # Hardening

     

       110
       +
               AmbientCapabilities = "";

     

       111
        
               CapabilityBoundingSet = [ "" ];

     

       112
       +
               DevicePolicy = "closed";

     

       113
        
               LockPersonality = true;

     

       114
       +
               NoNewPrivileges = true;

     

       115
        
               PrivateDevices = true;

     

       116
        
               PrivateTmp = true;

     

       117
        
               PrivateUsers = true;

     
···

       125
        
               ProtectKernelTunables = true;

     

       126
        
               ProtectProc = "invisible";

     

       127
        
               ProtectSystem = "strict";

     

       128
       +
               RemoveIPC = true;

     

       129
       +
               RestrictAddressFamilies = [ "AF_INET AF_INET6 AF_UNIX AF_NETLINK" ];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       130
        
               RestrictNamespaces = true;

     

       131
        
               RestrictRealtime = true;

     

       132
        
               RestrictSUIDSGID = true;

     

       133
        
               SystemCallArchitectures = "native";

     

       134
       +
               SystemCallFilter = [

     

       135
       +
                 "@system-service"

     

       136
       +
                 "~@privileged"

     

       137
       +
                 "~@resources"

     

       138
       +
               ];

     

       139
       +
               UMask = "0077";

     

       140
        
             };

     

       141
        
           };

     

       142
        
         };

+13

nixos/tests/zipline.nix

···

       1
        
       { lib, ... }:

     

       0
        
       
     

       2
        
       {

     

       3
        
         name = "zipline";

     

       4
        
         meta.maintainers = with lib.maintainers; [ defelo ];

     
···

       18
        
           };

     

       19
        
       

     

       20
        
           networking.hosts."127.0.0.1" = [ "zipline.local" ];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       21
        
         };

     

       22
        
       

     

       23
        
         testScript = ''

···

       1
        
       { lib, ... }:

     

       2
       +
       

     

       3
        
       {

     

       4
        
         name = "zipline";

     

       5
        
         meta.maintainers = with lib.maintainers; [ defelo ];

     
···

       19
        
           };

     

       20
        
       

     

       21
        
           networking.hosts."127.0.0.1" = [ "zipline.local" ];

     

       22
       +
         };

     

       23
       +
       

     

       24
       +
         interactive.nodes.machine = {

     

       25
       +
           services.zipline.settings.CORE_HOSTNAME = lib.mkForce "0.0.0.0";

     

       26
       +
           networking.firewall.allowedTCPPorts = [ 8000 ];

     

       27
       +
           virtualisation.forwardPorts = [

     

       28
       +
             {

     

       29
       +
               from = "host";

     

       30
       +
               host.port = 8000;

     

       31
       +
               guest.port = 8000;

     

       32
       +
             }

     

       33
       +
           ];

     

       34
        
         };

     

       35
        
       

     

       36
        
         testScript = ''