b12f/nixpkgs
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

nixos/alps: add hardening, extensible options, test

Browse source
This commit is contained in:
Henri Menke 2022-11-16 17:56:44 +01:00
parent 4698895021
commit aeb5a692c3
No known key found for this signature in database
GPG key ID: FB7AD61E3D806382
3 changed files with 112 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
nixos/modules/services/web-apps/alps.nix
View file

@ -70,6 +70,23 @@ in {
'';
};
};
package = mkOption {
internal = true;
type = types.package;
default = pkgs.alps;
};
args = mkOption {
internal = true;
type = types.listOf types.str;
default = [
"-addr" "${cfg.bindIP}:${toString cfg.port}"
"-theme" "${cfg.theme}"
"imaps://${cfg.imaps.host}:${toString cfg.imaps.port}"
"smpts://${cfg.smtps.host}:${toString cfg.smtps.port}"
];
};
};
config = mkIf cfg.enable {
@ -80,16 +97,33 @@ in {
after = [ "network.target" "network-online.target" ];
serviceConfig = {
ExecStart = ''
${pkgs.alps}/bin/alps \
-addr ${cfg.bindIP}:${toString cfg.port} \
-theme ${cfg.theme} \
imaps://${cfg.imaps.host}:${toString cfg.imaps.port} \
smpts://${cfg.smtps.host}:${toString cfg.smtps.port}
'';
StateDirectory = "alps";
WorkingDirectory = "/var/lib/alps";
ExecStart = "${cfg.package}/bin/alps ${escapeShellArgs cfg.args}";
DynamicUser = true;
## This is desirable but would restrict bindIP to 127.0.0.1
#IPAddressAllow = "localhost";
#IPAddressDeny = "any";
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateIPC = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service @resources" "~@privileged @obsolete" ];
};
};
};

1
nixos/tests/all-tests.nix
View file

@ -74,6 +74,7 @@ in {
agda = handleTest ./agda.nix {};
airsonic = handleTest ./airsonic.nix {};
allTerminfo = handleTest ./all-terminfo.nix {};
alps = handleTest ./alps.nix {};
amazon-init-shell = handleTest ./amazon-init-shell.nix {};
apfs = handleTest ./apfs.nix {};
apparmor = handleTest ./apparmor.nix {};

68
nixos/tests/alps.nix Normal file
View file

@ -0,0 +1,68 @@
let
certs = import ./common/acme/server/snakeoil-certs.nix;
domain = certs.domain;
in
import ./make-test-python.nix {
name = "alps";
nodes = {
server = {
imports = [ ./common/user-account.nix ];
security.pki.certificateFiles = [
certs.ca.cert
];
networking.extraHosts = ''
127.0.0.1 ${domain}
'';
networking.firewall.allowedTCPPorts = [ 25 465 993 ];
services.postfix = {
enable = true;
enableSubmission = true;
enableSubmissions = true;
tlsTrustedAuthorities = "${certs.ca.cert}";
sslCert = "${certs.${domain}.cert}";
sslKey = "${certs.${domain}.key}";
};
services.dovecot2 = {
enable = true;
enableImap = true;
sslCACert = "${certs.ca.cert}";
sslServerCert = "${certs.${domain}.cert}";
sslServerKey = "${certs.${domain}.key}";
};
};
client = { nodes, ... }: {
security.pki.certificateFiles = [
certs.ca.cert
];
networking.extraHosts = ''
${nodes.server.config.networking.primaryIPAddress} ${domain}
'';
services.alps = {
enable = true;
theme = "alps";
imaps = {
host = domain;
port = 993;
};
smtps = {
host = domain;
port = 465;
};
};
};
};
testScript = ''
server.start()
server.wait_for_unit("postfix.service")
server.wait_for_unit("dovecot2.service")
server.wait_for_open_port(465)
server.wait_for_open_port(993)
client.start()
client.wait_for_unit("alps.service")
client.wait_until_succeeds("curl -fvvv -s http://127.0.0.1:1323/", timeout=60)
'';
}