b12f/nixpkgs
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Merge pull request #120536 from mweinelt/mosquitto

Browse source
This commit is contained in:
Martin Weinelt 2021-05-03 00:41:21 +02:00 committed by GitHub
parent fb5b00d2eb a2d1d16af8
commit d67fc76603
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 44 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

46
nixos/modules/services/networking/mosquitto.nix
View file

@ -20,8 +20,7 @@ let
acl_file ${aclFile} acl_file ${aclFile}
persistence true persistence true
allow_anonymous ${boolToString cfg.allowAnonymous} allow_anonymous ${boolToString cfg.allowAnonymous}
bind_address ${cfg.host} listener ${toString cfg.port} ${cfg.host}
port ${toString cfg.port}
${passwordConf} ${passwordConf}
${listenerConf} ${listenerConf}
${cfg.extraConf} ${cfg.extraConf}
@ -233,15 +232,50 @@ in
ExecStart = "${pkgs.mosquitto}/bin/mosquitto -c ${mosquittoConf}"; ExecStart = "${pkgs.mosquitto}/bin/mosquitto -c ${mosquittoConf}";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
ProtectSystem = "strict"; # Hardening
ProtectHome = true; CapabilityBoundingSet = "";
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true; PrivateDevices = true;
PrivateTmp = true; PrivateTmp = true;
ReadWritePaths = "${cfg.dataDir}"; PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true; ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true; ProtectKernelModules = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;
NoNewPrivileges = true; ProtectProc = "invisible";
ProcSubset = "pid";
ProtectSystem = "strict";
ReadWritePaths = [
cfg.dataDir
"/tmp" # mosquitto_passwd creates files in /tmp before moving them
];
ReadOnlyPaths = with cfg.ssl; lib.optionals (enable) [
certfile
keyfile
cafile
];
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_UNIX" # for sd_notify() call
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
"~@resources"
];
UMask = "0077";
}; };
preStart = '' preStart = ''
rm -f ${cfg.dataDir}/passwd rm -f ${cfg.dataDir}/passwd

5
nixos/tests/mosquitto.nix
View file

@ -1,4 +1,4 @@
import ./make-test-python.nix ({ pkgs, ... }: import ./make-test-python.nix ({ pkgs, lib, ... }:
let let
port = 1888; port = 1888;
@ -30,6 +30,9 @@ in {
]; ];
}; };
}; };
# disable private /tmp for this test
systemd.services.mosquitto.serviceConfig.PrivateTmp = lib.mkForce false;
}; };
client1 = client; client1 = client;