pyrox.dev / nixpkgs
lol
fork atom

nixos/nebula: harden systemd unit

Morgan Jones e99f342f 9d649fd7

options
unified split
Changed files
+22 -1
nixos
modules
services
networking
nebula.nix
+22 -1
nixos/modules/services/networking/nebula.nix 
···

       
204

       
 

       
              Type = "simple";


     

       
205

       
 

       
              Restart = "always";


     

       
206

       
 

       
              ExecStart = "${netCfg.package}/bin/nebula -config ${configFile}";


     

       

       

       
     

       
207

       
 

       
              CapabilityBoundingSet = "CAP_NET_ADMIN";


     

       
208

       
 

       
              AmbientCapabilities = "CAP_NET_ADMIN";


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
209

       
 

       
              User = networkId;


     

       
210

       
 

       
              Group = networkId;


     

       
211

       
 

       
            };


     
···

       
227

       
 

       
        };


     

       
228

       
 

       
      }) enabledNetworks);


     

       
229

       
 

       



     

       
230

       
-

       
    users.groups = mkMerge (mapAttrsToList (netName: netCfg: { ${nameToId netName} = {}; }) enabledNetworks);


     

       

       

       
     

       

       

       
     

       
231

       
 

       
  };


     

       
232

       
 

       
}


     
···

       
204

       
 

       
              Type = "simple";


     

       
205

       
 

       
              Restart = "always";


     

       
206

       
 

       
              ExecStart = "${netCfg.package}/bin/nebula -config ${configFile}";


     

       
207

       
+

       
              UMask = "0027";


     

       
208

       
 

       
              CapabilityBoundingSet = "CAP_NET_ADMIN";


     

       
209

       
 

       
              AmbientCapabilities = "CAP_NET_ADMIN";


     

       
210

       
+

       
              LockPersonality = true;


     

       
211

       
+

       
              NoNewPrivileges = true;


     

       
212

       
+

       
              PrivateDevices = false; # needs access to /dev/net/tun (below)


     

       
213

       
+

       
              DeviceAllow = "/dev/net/tun rw";


     

       
214

       
+

       
              DevicePolicy = "closed";


     

       
215

       
+

       
              PrivateTmp = true;


     

       
216

       
+

       
              PrivateUsers = false; # CapabilityBoundingSet needs to apply to the host namespace


     

       
217

       
+

       
              ProtectClock = true;


     

       
218

       
+

       
              ProtectControlGroups = true;


     

       
219

       
+

       
              ProtectHome = true;


     

       
220

       
+

       
              ProtectHostname = true;


     

       
221

       
+

       
              ProtectKernelLogs = true;


     

       
222

       
+

       
              ProtectKernelModules = true;


     

       
223

       
+

       
              ProtectKernelTunables = true;


     

       
224

       
+

       
              ProtectProc = "invisible";


     

       
225

       
+

       
              ProtectSystem = "strict";


     

       
226

       
+

       
              RestrictNamespaces = true;


     

       
227

       
+

       
              RestrictSUIDSGID = true;


     

       
228

       
 

       
              User = networkId;


     

       
229

       
 

       
              Group = networkId;


     

       
230

       
 

       
            };


     
···

       
246

       
 

       
        };


     

       
247

       
 

       
      }) enabledNetworks);


     

       
248

       
 

       



     

       
249

       
+

       
    users.groups = mkMerge (mapAttrsToList (netName: netCfg: {


     

       
250

       
+

       
      ${nameToId netName} = {};


     

       
251

       
+

       
    }) enabledNetworks);


     

       
252

       
 

       
  };


     

       
253

       
 

       
}