commit 7da17ece7665ebdfcc080cfe7530952aaafec496 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

Merge pull request #310366 from mweinelt/pretix-pretalx-homemode

pretix, pretalx: fixes, hardening

authored by Martin Weinelt and committed by GitHub 2 years ago 7da17ece d51389b6

+57 -13

5 changed files

expand all

unified split

.github

CODEOWNERS

nixos

modules

services

web-apps

pretalx.nix

pretix.nix

tests

web-apps

pretalx.nix

pkgs

by-name

pretalx

package.nix

.github/CODEOWNERS

··· 345 345 346 346 # Pretix 347 347 pkgs/by-name/pr/pretix/ @mweinelt 348 + pkgs/by-name/pr/pretalx/ @mweinelt 348 349 nixos/modules/services/web-apps/pretix.nix @mweinelt 350 + nixos/modules/services/web-apps/pretalx.nix @mweinelt 349 351 nixos/tests/web-apps/pretix.nix @mweinelt 352 + nixos/tests/web-apps/pretalx.nix @mweinelt 350 353 351 354 # incus/lxc/lxd 352 355 nixos/maintainers/scripts/lxd/ @adamcstephens

+43 -6

nixos/modules/services/web-apps/pretalx.nix

··· 24 24 25 25 { 26 26 meta = with lib; { 27 - maintainers = teams.c3d2.members; 27 + maintainers = with maintainers; [ hexa] ++ teams.c3d2.members; 28 28 }; 29 29 30 30 options.services.pretalx = { ··· 329 329 serviceConfig = { 330 330 User = "pretalx"; 331 331 Group = "pretalx"; 332 - StateDirectory = [ "pretalx" "pretalx/media" ]; 332 + StateDirectory = [ 333 + "pretalx" 334 + "pretalx/media" 335 + ]; 336 + StateDirectoryMode = "0750"; 333 337 LogsDirectory = "pretalx"; 334 338 WorkingDirectory = cfg.settings.filesystem.data; 335 339 SupplementaryGroups = [ "redis-pretalx" ]; 340 + AmbientCapabilities = ""; 341 + CapabilityBoundingSet = [ "" ]; 342 + DevicePolicy = "closed"; 343 + LockPersonality = true; 344 + MemoryDenyWriteExecute = true; 345 + NoNewPrivileges = true; 346 + PrivateDevices = true; 347 + PrivateTmp = true; 348 + ProcSubset = "pid"; 349 + ProtectControlGroups = true; 350 + ProtectHome = true; 351 + ProtectHostname = true; 352 + ProtectKernelLogs = true; 353 + ProtectKernelModules = true; 354 + ProtectKernelTunables = true; 355 + ProtectProc = "invisible"; 356 + ProtectSystem = "strict"; 357 + RemoveIPC = true; 358 + RestrictAddressFamilies = [ 359 + "AF_INET" 360 + "AF_INET6" 361 + "AF_UNIX" 362 + ]; 363 + RestrictNamespaces = true; 364 + RestrictRealtime = true; 365 + RestrictSUIDSGID = true; 366 + SystemCallArchitectures = "native"; 367 + SystemCallFilter = [ 368 + "@system-service" 369 + "~@privileged" 370 + "@chown" 371 + ]; 372 + UMask = "0027"; 336 373 }; 337 374 }; 338 375 in { ··· 395 432 wantedBy = [ "multi-user.target" ]; 396 433 serviceConfig.ExecStart = "${lib.getExe' pythonEnv "celery"} -A pretalx.celery_app worker ${cfg.celery.extraArgs}"; 397 434 }); 435 + 436 + nginx.serviceConfig.SupplementaryGroups = lib.mkIf cfg.nginx.enable [ "pretalx" ]; 398 437 }; 399 438 400 439 systemd.sockets.pretalx-web.socketConfig = { ··· 403 442 }; 404 443 405 444 users = { 406 - groups."${cfg.group}" = {}; 407 - users."${cfg.user}" = { 445 + groups.${cfg.group} = {}; 446 + users.${cfg.user} = { 408 447 isSystemUser = true; 409 - createHome = true; 410 - home = cfg.settings.filesystem.data; 411 448 inherit (cfg) group; 412 449 }; 413 450 };

+6 -6

nixos/modules/services/web-apps/pretix.nix

··· 468 468 StateDirectory = [ 469 469 "pretix" 470 470 ]; 471 - StateDirectoryMode = "0755"; 471 + StateDirectoryMode = "0750"; 472 472 CacheDirectory = "pretix"; 473 473 LogsDirectory = "pretix"; 474 474 WorkingDirectory = cfg.settings.pretix.datadir; ··· 507 507 "~@privileged" 508 508 "@chown" 509 509 ]; 510 - UMask = "0022"; 510 + UMask = "0027"; 511 511 }; 512 512 }; 513 513 in { ··· 561 561 wantedBy = [ "multi-user.target" ]; 562 562 serviceConfig.ExecStart = "${getExe' pythonEnv "celery"} -A pretix.celery_app worker ${cfg.celery.extraArgs}"; 563 563 }; 564 + 565 + nginx.serviceConfig.SupplementaryGroups = mkIf cfg.nginx.enable [ "pretix" ]; 564 566 }; 565 567 566 568 systemd.sockets.pretix-web.socketConfig = { ··· 569 571 }; 570 572 571 573 users = { 572 - groups."${cfg.group}" = {}; 573 - users."${cfg.user}" = { 574 + groups.${cfg.group} = {}; 575 + users.${cfg.user} = { 574 576 isSystemUser = true; 575 - createHome = true; 576 - home = cfg.settings.pretix.datadir; 577 577 inherit (cfg) group; 578 578 }; 579 579 };

nixos/tests/web-apps/pretalx.nix

··· 27 27 pretalx.wait_for_unit("pretalx-worker.service") 28 28 29 29 pretalx.wait_until_succeeds("curl -q --fail http://talks.local/orga/") 30 + 31 + pretalx.succeed("pretalx-manage --help") 32 + 33 + pretalx.log(pretalx.succeed("systemd-analyze security pretalx-web.service")) 30 34 ''; 31 35 }

+1 -1

pkgs/by-name/pr/pretalx/package.nix

··· 42 42 homepage = "https://github.com/pretalx/pretalx"; 43 43 changelog = "https://docs.pretalx.org/en/latest/changelog.html"; 44 44 license = licenses.asl20; 45 - maintainers = teams.c3d2.members; 45 + maintainers = with maintainers; [ hexa] ++ teams.c3d2.members; 46 46 platforms = platforms.linux; 47 47 }; 48 48