nixos/public-inbox: support enabling confinement
Add support for enabling confinement but does not enable it by default yet because so far no module within NixOS uses confinement hence that would set a precedent.
This commit is contained in:
parent
8b2b5be3b5
commit
c646d375d3
|
@ -48,78 +48,98 @@ let
|
||||||
let proto = removeSuffix "d" srv;
|
let proto = removeSuffix "d" srv;
|
||||||
needNetwork = builtins.hasAttr proto cfg && cfg.${proto}.port == null;
|
needNetwork = builtins.hasAttr proto cfg && cfg.${proto}.port == null;
|
||||||
in {
|
in {
|
||||||
# Enable JIT-compiled C (via Inline::C)
|
serviceConfig = {
|
||||||
Environment = [ "PERL_INLINE_DIRECTORY=/run/public-inbox-${srv}/perl-inline" ];
|
# Enable JIT-compiled C (via Inline::C)
|
||||||
# NonBlocking is REQUIRED to avoid a race condition
|
Environment = [ "PERL_INLINE_DIRECTORY=/run/public-inbox-${srv}/perl-inline" ];
|
||||||
# if running simultaneous services.
|
# NonBlocking is REQUIRED to avoid a race condition
|
||||||
NonBlocking = true;
|
# if running simultaneous services.
|
||||||
#LimitNOFILE = 30000;
|
NonBlocking = true;
|
||||||
User = config.users.users."public-inbox".name;
|
#LimitNOFILE = 30000;
|
||||||
Group = config.users.groups."public-inbox".name;
|
User = config.users.users."public-inbox".name;
|
||||||
RuntimeDirectory = [
|
Group = config.users.groups."public-inbox".name;
|
||||||
"public-inbox-${srv}/perl-inline"
|
RuntimeDirectory = [
|
||||||
# Create RootDirectory= in the host's mount namespace.
|
"public-inbox-${srv}/perl-inline"
|
||||||
"public-inbox-${srv}/root"
|
];
|
||||||
];
|
RuntimeDirectoryMode = "700";
|
||||||
RuntimeDirectoryMode = "700";
|
# This is for BindPaths= and BindReadOnlyPaths=
|
||||||
# Avoid mounting RootDirectory= in the own RootDirectory= of ExecStart='s mount namespace.
|
# to allow traversal of directories they create inside RootDirectory=
|
||||||
InaccessiblePaths = ["-+/run/public-inbox-${srv}/root"];
|
UMask = "0066";
|
||||||
# This is for BindPaths= and BindReadOnlyPaths=
|
StateDirectory = ["public-inbox"];
|
||||||
# to allow traversal of directories they create in RootDirectory=.
|
StateDirectoryMode = "0750";
|
||||||
UMask = "0066";
|
WorkingDirectory = stateDir;
|
||||||
RootDirectory = "/run/public-inbox-${srv}/root";
|
BindReadOnlyPaths = [
|
||||||
RootDirectoryStartOnly = true;
|
"/etc"
|
||||||
WorkingDirectory = stateDir;
|
"/run/systemd"
|
||||||
MountAPIVFS = true;
|
"${config.i18n.glibcLocales}"
|
||||||
BindReadOnlyPaths = [
|
] ++
|
||||||
builtins.storeDir
|
mapAttrsToList (name: inbox: inbox.description) cfg.inboxes ++
|
||||||
"/etc"
|
# Without confinement the whole Nix store
|
||||||
"/run"
|
# is made available to the service
|
||||||
# For Inline::C
|
optionals (!config.systemd.services."public-inbox-${srv}".confinement.enable) [
|
||||||
"/bin/sh"
|
"${pkgs.dash}/bin/dash:/bin/sh"
|
||||||
];
|
builtins.storeDir
|
||||||
BindPaths = [
|
];
|
||||||
stateDir
|
# The following options are only for optimizing:
|
||||||
];
|
# systemd-analyze security public-inbox-'*'
|
||||||
# The following options are only for optimizing:
|
AmbientCapabilities = "";
|
||||||
# systemd-analyze security public-inbox-'*'
|
CapabilityBoundingSet = "";
|
||||||
AmbientCapabilities = "";
|
# ProtectClock= adds DeviceAllow=char-rtc r
|
||||||
CapabilityBoundingSet = "";
|
DeviceAllow = "";
|
||||||
# ProtectClock= adds DeviceAllow=char-rtc r
|
LockPersonality = true;
|
||||||
DeviceAllow = "";
|
MemoryDenyWriteExecute = true;
|
||||||
LockPersonality = true;
|
NoNewPrivileges = true;
|
||||||
MemoryDenyWriteExecute = true;
|
PrivateNetwork = mkDefault (!needNetwork);
|
||||||
NoNewPrivileges = true;
|
ProcSubset = "pid";
|
||||||
PrivateDevices = true;
|
ProtectClock = true;
|
||||||
PrivateMounts = true;
|
ProtectHome = mkDefault true;
|
||||||
PrivateNetwork = mkDefault (!needNetwork);
|
ProtectHostname = true;
|
||||||
PrivateTmp = true;
|
ProtectKernelLogs = true;
|
||||||
PrivateUsers = true;
|
ProtectProc = "invisible";
|
||||||
ProcSubset = "pid";
|
#ProtectSystem = "strict";
|
||||||
ProtectClock = true;
|
RemoveIPC = true;
|
||||||
ProtectControlGroups = true;
|
RestrictAddressFamilies = [ "AF_UNIX" ] ++
|
||||||
ProtectHome = mkDefault true;
|
optionals needNetwork [ "AF_INET" "AF_INET6" ];
|
||||||
ProtectHostname = true;
|
RestrictNamespaces = true;
|
||||||
ProtectKernelLogs = true;
|
RestrictRealtime = true;
|
||||||
ProtectKernelModules = true;
|
RestrictSUIDSGID = true;
|
||||||
ProtectKernelTunables = true;
|
SystemCallFilter = [
|
||||||
ProtectProc = "invisible";
|
"@system-service"
|
||||||
ProtectSystem = "strict";
|
"~@aio" "~@chown" "~@keyring" "~@memlock" "~@resources"
|
||||||
RemoveIPC = true;
|
# Not removing @setuid and @privileged because Inline::C needs them.
|
||||||
RestrictAddressFamilies = [ "AF_UNIX" ]
|
# Not removing @timer because git upload-pack needs it.
|
||||||
++ optionals needNetwork [ "AF_INET" "AF_INET6" ];
|
];
|
||||||
RestrictNamespaces = true;
|
SystemCallArchitectures = "native";
|
||||||
RestrictRealtime = true;
|
|
||||||
RestrictSUIDSGID = true;
|
# The following options are redundant when confinement is enabled
|
||||||
SystemCallFilter = [
|
RootDirectory = "/var/empty";
|
||||||
"@system-service"
|
TemporaryFileSystem = "/";
|
||||||
"~@aio" "~@chown" "~@keyring" "~@memlock" "~@resources"
|
PrivateMounts = true;
|
||||||
# Not removing @setuid and @privileged
|
MountAPIVFS = true;
|
||||||
# because Inline::C needs them.
|
PrivateDevices = true;
|
||||||
# Not removing @timer
|
PrivateTmp = true;
|
||||||
# because git upload-pack needs it.
|
PrivateUsers = true;
|
||||||
];
|
ProtectControlGroups = true;
|
||||||
SystemCallArchitectures = "native";
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
};
|
||||||
|
confinement = {
|
||||||
|
# Until we agree upon doing it directly here in NixOS
|
||||||
|
# https://github.com/NixOS/nixpkgs/pull/104457#issuecomment-1115768447
|
||||||
|
# let the user choose to enable the confinement with:
|
||||||
|
# systemd.services.public-inbox-httpd.confinement.enable = true;
|
||||||
|
# systemd.services.public-inbox-imapd.confinement.enable = true;
|
||||||
|
# systemd.services.public-inbox-init.confinement.enable = true;
|
||||||
|
# systemd.services.public-inbox-nntpd.confinement.enable = true;
|
||||||
|
#enable = true;
|
||||||
|
mode = "full-apivfs";
|
||||||
|
# Inline::C needs a /bin/sh, and dash is enough
|
||||||
|
binSh = "${pkgs.dash}/bin/dash";
|
||||||
|
packages = [
|
||||||
|
pkgs.iana-etc
|
||||||
|
(getLib pkgs.nss)
|
||||||
|
pkgs.tzdata
|
||||||
|
];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
in
|
in
|
||||||
|
|
||||||
|
@ -168,6 +188,7 @@ in
|
||||||
type = types.str;
|
type = types.str;
|
||||||
example = "user/dev discussion of public-inbox itself";
|
example = "user/dev discussion of public-inbox itself";
|
||||||
description = "User-visible description for the repository.";
|
description = "User-visible description for the repository.";
|
||||||
|
apply = pkgs.writeText "public-inbox-description-${name}";
|
||||||
};
|
};
|
||||||
options.newsgroup = mkOption {
|
options.newsgroup = mkOption {
|
||||||
type = with types; nullOr str;
|
type = with types; nullOr str;
|
||||||
|
@ -409,24 +430,24 @@ in
|
||||||
) [ "imap" "http" "nntp" ]);
|
) [ "imap" "http" "nntp" ]);
|
||||||
systemd.services = mkMerge [
|
systemd.services = mkMerge [
|
||||||
(mkIf cfg.imap.enable
|
(mkIf cfg.imap.enable
|
||||||
{ public-inbox-imapd = {
|
{ public-inbox-imapd = mkMerge [(serviceConfig "imapd") {
|
||||||
after = [ "public-inbox-init.service" "public-inbox-watch.service" ];
|
after = [ "public-inbox-init.service" "public-inbox-watch.service" ];
|
||||||
requires = [ "public-inbox-init.service" ];
|
requires = [ "public-inbox-init.service" ];
|
||||||
serviceConfig = mkMerge [(serviceConfig "imapd") {
|
serviceConfig = {
|
||||||
ExecStart = escapeShellArgs (
|
ExecStart = escapeShellArgs (
|
||||||
[ "${cfg.package}/bin/public-inbox-imapd" ] ++
|
[ "${cfg.package}/bin/public-inbox-imapd" ] ++
|
||||||
cfg.imap.args ++
|
cfg.imap.args ++
|
||||||
optionals (cfg.imap.cert != null) [ "--cert" cfg.imap.cert ] ++
|
optionals (cfg.imap.cert != null) [ "--cert" cfg.imap.cert ] ++
|
||||||
optionals (cfg.imap.key != null) [ "--key" cfg.imap.key ]
|
optionals (cfg.imap.key != null) [ "--key" cfg.imap.key ]
|
||||||
);
|
);
|
||||||
}];
|
};
|
||||||
};
|
}];
|
||||||
})
|
})
|
||||||
(mkIf cfg.http.enable
|
(mkIf cfg.http.enable
|
||||||
{ public-inbox-httpd = {
|
{ public-inbox-httpd = mkMerge [(serviceConfig "httpd") {
|
||||||
after = [ "public-inbox-init.service" "public-inbox-watch.service" ];
|
after = [ "public-inbox-init.service" "public-inbox-watch.service" ];
|
||||||
requires = [ "public-inbox-init.service" ];
|
requires = [ "public-inbox-init.service" ];
|
||||||
serviceConfig = mkMerge [(serviceConfig "httpd") {
|
serviceConfig = {
|
||||||
ExecStart = escapeShellArgs (
|
ExecStart = escapeShellArgs (
|
||||||
[ "${cfg.package}/bin/public-inbox-httpd" ] ++
|
[ "${cfg.package}/bin/public-inbox-httpd" ] ++
|
||||||
cfg.http.args ++
|
cfg.http.args ++
|
||||||
|
@ -458,41 +479,41 @@ in
|
||||||
}
|
}
|
||||||
'') ]
|
'') ]
|
||||||
);
|
);
|
||||||
}];
|
};
|
||||||
};
|
}];
|
||||||
})
|
})
|
||||||
(mkIf cfg.nntp.enable
|
(mkIf cfg.nntp.enable
|
||||||
{ public-inbox-nntpd = {
|
{ public-inbox-nntpd = mkMerge [(serviceConfig "nntpd") {
|
||||||
after = [ "public-inbox-init.service" "public-inbox-watch.service" ];
|
after = [ "public-inbox-init.service" "public-inbox-watch.service" ];
|
||||||
requires = [ "public-inbox-init.service" ];
|
requires = [ "public-inbox-init.service" ];
|
||||||
serviceConfig = mkMerge [(serviceConfig "nntpd") {
|
serviceConfig = {
|
||||||
ExecStart = escapeShellArgs (
|
ExecStart = escapeShellArgs (
|
||||||
[ "${cfg.package}/bin/public-inbox-nntpd" ] ++
|
[ "${cfg.package}/bin/public-inbox-nntpd" ] ++
|
||||||
cfg.nntp.args ++
|
cfg.nntp.args ++
|
||||||
optionals (cfg.nntp.cert != null) [ "--cert" cfg.nntp.cert ] ++
|
optionals (cfg.nntp.cert != null) [ "--cert" cfg.nntp.cert ] ++
|
||||||
optionals (cfg.nntp.key != null) [ "--key" cfg.nntp.key ]
|
optionals (cfg.nntp.key != null) [ "--key" cfg.nntp.key ]
|
||||||
);
|
);
|
||||||
}];
|
};
|
||||||
};
|
}];
|
||||||
})
|
})
|
||||||
(mkIf (any (inbox: inbox.watch != []) (attrValues cfg.inboxes)
|
(mkIf (any (inbox: inbox.watch != []) (attrValues cfg.inboxes)
|
||||||
|| cfg.settings.publicinboxwatch.watchspam != null)
|
|| cfg.settings.publicinboxwatch.watchspam != null)
|
||||||
{ public-inbox-watch = {
|
{ public-inbox-watch = mkMerge [(serviceConfig "watch") {
|
||||||
inherit (cfg) path;
|
inherit (cfg) path;
|
||||||
wants = [ "public-inbox-init.service" ];
|
wants = [ "public-inbox-init.service" ];
|
||||||
requires = [ "public-inbox-init.service" ] ++
|
requires = [ "public-inbox-init.service" ] ++
|
||||||
optional (cfg.settings.publicinboxwatch.spamcheck == "spamc") "spamassassin.service";
|
optional (cfg.settings.publicinboxwatch.spamcheck == "spamc") "spamassassin.service";
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
serviceConfig = mkMerge [(serviceConfig "watch") {
|
serviceConfig = {
|
||||||
ExecStart = "${cfg.package}/bin/public-inbox-watch";
|
ExecStart = "${cfg.package}/bin/public-inbox-watch";
|
||||||
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
||||||
}];
|
};
|
||||||
};
|
}];
|
||||||
})
|
})
|
||||||
({ public-inbox-init = let
|
({ public-inbox-init = let
|
||||||
PI_CONFIG = gitIni.generate "public-inbox.ini"
|
PI_CONFIG = gitIni.generate "public-inbox.ini"
|
||||||
(filterAttrsRecursive (n: v: v != null) cfg.settings);
|
(filterAttrsRecursive (n: v: v != null) cfg.settings);
|
||||||
in {
|
in mkMerge [(serviceConfig "init") {
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
restartIfChanged = true;
|
restartIfChanged = true;
|
||||||
restartTriggers = [ PI_CONFIG ];
|
restartTriggers = [ PI_CONFIG ];
|
||||||
|
@ -520,7 +541,7 @@ in
|
||||||
rm -rf $conf_dir
|
rm -rf $conf_dir
|
||||||
fi
|
fi
|
||||||
|
|
||||||
ln -sf ${pkgs.writeText "description" inbox.description} \
|
ln -sf ${inbox.description} \
|
||||||
${stateDir}/inboxes/${escapeShellArg name}/description
|
${stateDir}/inboxes/${escapeShellArg name}/description
|
||||||
|
|
||||||
export GIT_DIR=${stateDir}/inboxes/${escapeShellArg name}/all.git
|
export GIT_DIR=${stateDir}/inboxes/${escapeShellArg name}/all.git
|
||||||
|
@ -540,18 +561,16 @@ in
|
||||||
${cfg.package}/bin/public-inbox-index "$inbox"
|
${cfg.package}/bin/public-inbox-index "$inbox"
|
||||||
done
|
done
|
||||||
'';
|
'';
|
||||||
serviceConfig = mkMerge [(serviceConfig "init") {
|
serviceConfig = {
|
||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
RemainAfterExit = true;
|
RemainAfterExit = true;
|
||||||
StateDirectory = [
|
StateDirectory = [
|
||||||
"public-inbox"
|
|
||||||
"public-inbox/.public-inbox"
|
"public-inbox/.public-inbox"
|
||||||
"public-inbox/.public-inbox/emergency"
|
"public-inbox/.public-inbox/emergency"
|
||||||
"public-inbox/inboxes"
|
"public-inbox/inboxes"
|
||||||
];
|
];
|
||||||
StateDirectoryMode = "0750";
|
};
|
||||||
}];
|
}];
|
||||||
};
|
|
||||||
})
|
})
|
||||||
];
|
];
|
||||||
environment.systemPackages = with pkgs; [ cfg.package ];
|
environment.systemPackages = with pkgs; [ cfg.package ];
|
||||||
|
|
Loading…
Reference in a new issue