b12f/nixpkgs
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Merge pull request #202187 from hmenke/alps

Browse source
This commit is contained in:
Martin Weinelt 2022-11-25 01:34:53 +01:00 committed by GitHub
parent 51e70a70df d02af66091
commit a4e5468bc0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 8 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
nixos/modules/services/web-apps/alps.nix
View file

@ -98,11 +98,11 @@ in {
serviceConfig = {
ExecStart = "${cfg.package}/bin/alps ${escapeShellArgs cfg.args}";
AmbientCapabilities = "";
CapabilityBoundingSet = "";
DynamicUser = true;
## This is desirable but would restrict bindIP to 127.0.0.1
#IPAddressAllow = "localhost";
#IPAddressDeny = "any";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateIPC = true;
@ -122,8 +122,10 @@ in {
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SocketBindAllow = cfg.port;
SocketBindDeny = "any";
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service @resources" "~@privileged @obsolete" ];
SystemCallFilter = [ "@system-service" "~@privileged @obsolete" ];
};
};
};

3
nixos/tests/alps.nix
View file

@ -90,7 +90,7 @@ import ./make-test-python.nix ({ pkgs, ... }: {
};
};
testScript = ''
testScript = { nodes, ... }: ''
server.start()
server.wait_for_unit("postfix.service")
server.wait_for_unit("dovecot2.service")
@ -99,6 +99,7 @@ import ./make-test-python.nix ({ pkgs, ... }: {
client.start()
client.wait_for_unit("alps.service")
client.wait_for_open_port(${toString nodes.client.config.services.alps.port})
client.succeed("test-alps-login")
'';
})