pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #201521 from hmenke/alps

nixos/alps: add hardening, extensible options, test

Anderson Torres fc8a4f72 5dcab938

options
unified split
Changed files
+163 -14
nixos
modules
services
web-apps
alps.nix
tests
all-tests.nix
alps.nix
pkgs
servers
alps
default.nix
+43 -9
nixos/modules/services/web-apps/alps.nix 
···

       
70

       
70

       
 

       
        '';


     

       
71

       
71

       
 

       
      };


     

       
72

       
72

       
 

       
    };


     

       

       
73

       
+

       



     

       

       
74

       
+

       
    package = mkOption {


     

       

       
75

       
+

       
      internal = true;


     

       

       
76

       
+

       
      type = types.package;


     

       

       
77

       
+

       
      default = pkgs.alps;


     

       

       
78

       
+

       
    };


     

       

       
79

       
+

       



     

       

       
80

       
+

       
    args = mkOption {


     

       

       
81

       
+

       
      internal = true;


     

       

       
82

       
+

       
      type = types.listOf types.str;


     

       

       
83

       
+

       
      default = [


     

       

       
84

       
+

       
        "-addr" "${cfg.bindIP}:${toString cfg.port}"


     

       

       
85

       
+

       
        "-theme" "${cfg.theme}"


     

       

       
86

       
+

       
        "imaps://${cfg.imaps.host}:${toString cfg.imaps.port}"


     

       

       
87

       
+

       
        "smpts://${cfg.smtps.host}:${toString cfg.smtps.port}"


     

       

       
88

       
+

       
      ];


     

       

       
89

       
+

       
    };


     

       
73

       
90

       
 

       
  };


     

       
74

       
91

       
 

       



     

       
75

       
92

       
 

       
  config = mkIf cfg.enable {


     
···

       
80

       
97

       
 

       
      after = [ "network.target" "network-online.target" ];


     

       
81

       
98

       
 

       



     

       
82

       
99

       
 

       
      serviceConfig = {


     

       
83

       

       
-

       
        ExecStart = ''


     

       
84

       

       
-

       
          ${pkgs.alps}/bin/alps \


     

       
85

       

       
-

       
            -addr ${cfg.bindIP}:${toString cfg.port} \


     

       
86

       

       
-

       
            -theme ${cfg.theme} \


     

       
87

       

       
-

       
            imaps://${cfg.imaps.host}:${toString cfg.imaps.port} \


     

       
88

       

       
-

       
            smpts://${cfg.smtps.host}:${toString cfg.smtps.port}


     

       
89

       

       
-

       
        '';


     

       
90

       

       
-

       
        StateDirectory = "alps";


     

       
91

       

       
-

       
        WorkingDirectory = "/var/lib/alps";


     

       

       
100

       
+

       
        ExecStart = "${cfg.package}/bin/alps ${escapeShellArgs cfg.args}";


     

       
92

       
101

       
 

       
        DynamicUser = true;


     

       

       
102

       
+

       
        ## This is desirable but would restrict bindIP to 127.0.0.1


     

       

       
103

       
+

       
        #IPAddressAllow = "localhost";


     

       

       
104

       
+

       
        #IPAddressDeny = "any";


     

       

       
105

       
+

       
        LockPersonality = true;


     

       

       
106

       
+

       
        NoNewPrivileges = true;


     

       

       
107

       
+

       
        PrivateDevices = true;


     

       

       
108

       
+

       
        PrivateIPC = true;


     

       

       
109

       
+

       
        PrivateTmp = true;


     

       

       
110

       
+

       
        PrivateUsers = true;


     

       

       
111

       
+

       
        ProtectClock = true;


     

       

       
112

       
+

       
        ProtectControlGroups = true;


     

       

       
113

       
+

       
        ProtectHome = true;


     

       

       
114

       
+

       
        ProtectHostname = true;


     

       

       
115

       
+

       
        ProtectKernelLogs = true;


     

       

       
116

       
+

       
        ProtectKernelModules = true;


     

       

       
117

       
+

       
        ProtectKernelTunables = true;


     

       

       
118

       
+

       
        ProtectProc = "invisible";


     

       

       
119

       
+

       
        ProtectSystem = "strict";


     

       

       
120

       
+

       
        RemoveIPC = true;


     

       

       
121

       
+

       
        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];


     

       

       
122

       
+

       
        RestrictNamespaces = true;


     

       

       
123

       
+

       
        RestrictRealtime = true;


     

       

       
124

       
+

       
        RestrictSUIDSGID = true;


     

       

       
125

       
+

       
        SystemCallArchitectures = "native";


     

       

       
126

       
+

       
        SystemCallFilter = [ "@system-service @resources" "~@privileged @obsolete" ];


     

       
93

       
127

       
 

       
      };


     

       
94

       
128

       
 

       
    };


     

       
95

       
129

       
 

       
  };
+1
nixos/tests/all-tests.nix 
···

       
74

       
74

       
 

       
  agda = handleTest ./agda.nix {};


     

       
75

       
75

       
 

       
  airsonic = handleTest ./airsonic.nix {};


     

       
76

       
76

       
 

       
  allTerminfo = handleTest ./all-terminfo.nix {};


     

       

       
77

       
+

       
  alps = handleTest ./alps.nix {};


     

       
77

       
78

       
 

       
  amazon-init-shell = handleTest ./amazon-init-shell.nix {};


     

       
78

       
79

       
 

       
  apfs = handleTest ./apfs.nix {};


     

       
79

       
80

       
 

       
  apparmor = handleTest ./apparmor.nix {};
+104
nixos/tests/alps.nix 
···

       

       
1

       
+

       
let


     

       

       
2

       
+

       
  certs = import ./common/acme/server/snakeoil-certs.nix;


     

       

       
3

       
+

       
  domain = certs.domain;


     

       

       
4

       
+

       
in


     

       

       
5

       
+

       
import ./make-test-python.nix ({ pkgs, ... }: {


     

       

       
6

       
+

       
  name = "alps";


     

       

       
7

       
+

       



     

       

       
8

       
+

       
  nodes = {


     

       

       
9

       
+

       
    server = {


     

       

       
10

       
+

       
      imports = [ ./common/user-account.nix ];


     

       

       
11

       
+

       
      security.pki.certificateFiles = [


     

       

       
12

       
+

       
        certs.ca.cert


     

       

       
13

       
+

       
      ];


     

       

       
14

       
+

       
      networking.extraHosts = ''


     

       

       
15

       
+

       
        127.0.0.1 ${domain}


     

       

       
16

       
+

       
      '';


     

       

       
17

       
+

       
      networking.firewall.allowedTCPPorts = [ 25 465 993 ];


     

       

       
18

       
+

       
      services.postfix = {


     

       

       
19

       
+

       
        enable = true;


     

       

       
20

       
+

       
        enableSubmission = true;


     

       

       
21

       
+

       
        enableSubmissions = true;


     

       

       
22

       
+

       
        tlsTrustedAuthorities = "${certs.ca.cert}";


     

       

       
23

       
+

       
        sslCert = "${certs.${domain}.cert}";


     

       

       
24

       
+

       
        sslKey = "${certs.${domain}.key}";


     

       

       
25

       
+

       
      };


     

       

       
26

       
+

       
      services.dovecot2 = {


     

       

       
27

       
+

       
        enable = true;


     

       

       
28

       
+

       
        enableImap = true;


     

       

       
29

       
+

       
        sslCACert = "${certs.ca.cert}";


     

       

       
30

       
+

       
        sslServerCert = "${certs.${domain}.cert}";


     

       

       
31

       
+

       
        sslServerKey = "${certs.${domain}.key}";


     

       

       
32

       
+

       
      };


     

       

       
33

       
+

       
    };


     

       

       
34

       
+

       



     

       

       
35

       
+

       
    client = { nodes, config, ... }: {


     

       

       
36

       
+

       
      security.pki.certificateFiles = [


     

       

       
37

       
+

       
        certs.ca.cert


     

       

       
38

       
+

       
      ];


     

       

       
39

       
+

       
      networking.extraHosts = ''


     

       

       
40

       
+

       
        ${nodes.server.config.networking.primaryIPAddress} ${domain}


     

       

       
41

       
+

       
      '';


     

       

       
42

       
+

       
      services.alps = {


     

       

       
43

       
+

       
        enable = true;


     

       

       
44

       
+

       
        theme = "alps";


     

       

       
45

       
+

       
        imaps = {


     

       

       
46

       
+

       
          host = domain;


     

       

       
47

       
+

       
          port = 993;


     

       

       
48

       
+

       
        };


     

       

       
49

       
+

       
        smtps = {


     

       

       
50

       
+

       
          host = domain;


     

       

       
51

       
+

       
          port = 465;


     

       

       
52

       
+

       
        };


     

       

       
53

       
+

       
      };


     

       

       
54

       
+

       
      environment.systemPackages = [


     

       

       
55

       
+

       
        (pkgs.writers.writePython3Bin "test-alps-login" { } ''


     

       

       
56

       
+

       
          from urllib.request import build_opener, HTTPCookieProcessor, Request


     

       

       
57

       
+

       
          from urllib.parse import urlencode, urljoin


     

       

       
58

       
+

       
          from http.cookiejar import CookieJar


     

       

       
59

       
+

       



     

       

       
60

       
+

       
          baseurl = "http://localhost:${toString config.services.alps.port}"


     

       

       
61

       
+

       
          username = "alice"


     

       

       
62

       
+

       
          password = "${nodes.server.config.users.users.alice.password}"


     

       

       
63

       
+

       
          cookiejar = CookieJar()


     

       

       
64

       
+

       
          cookieprocessor = HTTPCookieProcessor(cookiejar)


     

       

       
65

       
+

       
          opener = build_opener(cookieprocessor)


     

       

       
66

       
+

       



     

       

       
67

       
+

       
          data = urlencode({"username": username, "password": password}).encode()


     

       

       
68

       
+

       
          req = Request(urljoin(baseurl, "login"), data=data, method="POST")


     

       

       
69

       
+

       
          with opener.open(req) as ret:


     

       

       
70

       
+

       
              # Check that the alps_session cookie is set


     

       

       
71

       
+

       
              print(cookiejar)


     

       

       
72

       
+

       
              assert any(cookie.name == "alps_session" for cookie in cookiejar)


     

       

       
73

       
+

       



     

       

       
74

       
+

       
          req = Request(baseurl)


     

       

       
75

       
+

       
          with opener.open(req) as ret:


     

       

       
76

       
+

       
              # Check that the alps_session cookie is still there...


     

       

       
77

       
+

       
              print(cookiejar)


     

       

       
78

       
+

       
              assert any(cookie.name == "alps_session" for cookie in cookiejar)


     

       

       
79

       
+

       
              # ...and that we have not been redirected back to the login page


     

       

       
80

       
+

       
              print(ret.url)


     

       

       
81

       
+

       
              assert ret.url == urljoin(baseurl, "mailbox/INBOX")


     

       

       
82

       
+

       



     

       

       
83

       
+

       
          req = Request(urljoin(baseurl, "logout"))


     

       

       
84

       
+

       
          with opener.open(req) as ret:


     

       

       
85

       
+

       
              # Check that the alps_session cookie is now gone


     

       

       
86

       
+

       
              print(cookiejar)


     

       

       
87

       
+

       
              assert all(cookie.name != "alps_session" for cookie in cookiejar)


     

       

       
88

       
+

       
        '')


     

       

       
89

       
+

       
      ];


     

       

       
90

       
+

       
    };


     

       

       
91

       
+

       
  };


     

       

       
92

       
+

       



     

       

       
93

       
+

       
  testScript = ''


     

       

       
94

       
+

       
    server.start()


     

       

       
95

       
+

       
    server.wait_for_unit("postfix.service")


     

       

       
96

       
+

       
    server.wait_for_unit("dovecot2.service")


     

       

       
97

       
+

       
    server.wait_for_open_port(465)


     

       

       
98

       
+

       
    server.wait_for_open_port(993)


     

       

       
99

       
+

       



     

       

       
100

       
+

       
    client.start()


     

       

       
101

       
+

       
    client.wait_for_unit("alps.service")


     

       

       
102

       
+

       
    client.succeed("test-alps-login")


     

       

       
103

       
+

       
  '';


     

       

       
104

       
+

       
})
+15 -5
pkgs/servers/alps/default.nix 
···

       
1

       

       
-

       
{ lib, buildGoModule, fetchFromSourcehut }:


     

       

       
1

       
+

       
{ lib, buildGoModule, fetchFromSourcehut, fetchpatch, nixosTests }:


     

       
2

       
2

       
 

       



     

       
3

       
3

       
 

       
buildGoModule rec {


     

       
4

       
4

       
 

       
  pname = "alps";


     

       
5

       

       
-

       
  version = "2022-06-03";


     

       

       
5

       
+

       
  version = "2022-10-18";


     

       
6

       
6

       
 

       



     

       
7

       
7

       
 

       
  src = fetchFromSourcehut {


     

       
8

       
8

       
 

       
    owner = "~migadu";


     

       
9

       
9

       
 

       
    repo = "alps";


     

       
10

       

       
-

       
    rev = "9cb23b09975e95f6a5952e3718eaf471c3e3510f";


     

       
11

       

       
-

       
    hash = "sha256-BUV1/BRIXHEf2FU1rdmNgueo8KSUlMKbIpAg2lFs3hA=";


     

       

       
10

       
+

       
    rev = "f01fbcbc48db5e65d69a0ebd9d7cb0deb378cf13";


     

       

       
11

       
+

       
    hash = "sha256-RSug3YSiqYLGs05Bee4NoaoCyPvUZ7IqlKWI1hmxbiA=";


     

       
12

       
12

       
 

       
  };


     

       
13

       
13

       
 

       



     

       
14

       

       
-

       
  vendorSha256 = "sha256-cpY+lYM/nAX3nUaFknrRAavxDk8UDzJkoqFjJ1/KWeg=";


     

       

       
14

       
+

       
  vendorSha256 = "sha256-XDm6LU9D/rVQHiko7EFpocv+IktGe6tQhJYRrOJxeSs=";


     

       
15

       
15

       
 

       



     

       
16

       
16

       
 

       
  ldflags = [


     

       
17

       
17

       
 

       
    "-s"


     
···

       
20

       
20

       
 

       
    "-X git.sr.ht/~migadu/alps.PluginDir=${placeholder "out"}/share/alps/plugins"


     

       
21

       
21

       
 

       
  ];


     

       
22

       
22

       
 

       



     

       

       
23

       
+

       
  patches = [


     

       

       
24

       
+

       
    (fetchpatch {


     

       

       
25

       
+

       
      name = "Issue-160-Alps-theme-has-a-enormous-move-to-list-sel";


     

       

       
26

       
+

       
      url = "https://lists.sr.ht/~migadu/alps-devel/patches/30096/mbox";


     

       

       
27

       
+

       
      hash = "sha256-Sz/SCkrrXZWrmJzjfPXi+UfCcbwsy6QiA7m34iiEFX0=";


     

       

       
28

       
+

       
    })


     

       

       
29

       
+

       
  ];


     

       

       
30

       
+

       



     

       
23

       
31

       
 

       
  postPatch = ''


     

       
24

       
32

       
 

       
    substituteInPlace plugin.go --replace "const PluginDir" "var PluginDir"


     

       
25

       
33

       
 

       
  '';


     
···

       
30

       
38

       
 

       
  '';


     

       
31

       
39

       
 

       



     

       
32

       
40

       
 

       
  proxyVendor = true;


     

       

       
41

       
+

       



     

       

       
42

       
+

       
  passthru.tests = { inherit(nixosTests) alps; };


     

       
33

       
43

       
 

       



     

       
34

       
44

       
 

       
  meta = with lib; {


     

       
35

       
45

       
 

       
    description = "A simple and extensible webmail.";