pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #310366 from mweinelt/pretix-pretalx-homemode

pretix, pretalx: fixes, hardening

authored by Martin Weinelt and committed by GitHub 7da17ece d51389b6

+57 -13
unified split
+3
.github/CODEOWNERS
··· 345 346 # Pretix 347 pkgs/by-name/pr/pretix/ @mweinelt 348 nixos/modules/services/web-apps/pretix.nix @mweinelt 349 nixos/tests/web-apps/pretix.nix @mweinelt 350 351 # incus/lxc/lxd 352 nixos/maintainers/scripts/lxd/ @adamcstephens
··· 345 346 # Pretix 347 pkgs/by-name/pr/pretix/ @mweinelt 348 + pkgs/by-name/pr/pretalx/ @mweinelt 349 nixos/modules/services/web-apps/pretix.nix @mweinelt 350 + nixos/modules/services/web-apps/pretalx.nix @mweinelt 351 nixos/tests/web-apps/pretix.nix @mweinelt 352 + nixos/tests/web-apps/pretalx.nix @mweinelt 353 354 # incus/lxc/lxd 355 nixos/maintainers/scripts/lxd/ @adamcstephens
+43 -6
nixos/modules/services/web-apps/pretalx.nix
··· 24 25 { 26 meta = with lib; { 27 - maintainers = teams.c3d2.members; 28 }; 29 30 options.services.pretalx = { ··· 329 serviceConfig = { 330 User = "pretalx"; 331 Group = "pretalx"; 332 - StateDirectory = [ "pretalx" "pretalx/media" ]; 333 LogsDirectory = "pretalx"; 334 WorkingDirectory = cfg.settings.filesystem.data; 335 SupplementaryGroups = [ "redis-pretalx" ]; 336 }; 337 }; 338 in { ··· 395 wantedBy = [ "multi-user.target" ]; 396 serviceConfig.ExecStart = "${lib.getExe' pythonEnv "celery"} -A pretalx.celery_app worker ${cfg.celery.extraArgs}"; 397 }); 398 }; 399 400 systemd.sockets.pretalx-web.socketConfig = { ··· 403 }; 404 405 users = { 406 - groups."${cfg.group}" = {}; 407 - users."${cfg.user}" = { 408 isSystemUser = true; 409 - createHome = true; 410 - home = cfg.settings.filesystem.data; 411 inherit (cfg) group; 412 }; 413 };
··· 24 25 { 26 meta = with lib; { 27 + maintainers = with maintainers; [ hexa] ++ teams.c3d2.members; 28 }; 29 30 options.services.pretalx = { ··· 329 serviceConfig = { 330 User = "pretalx"; 331 Group = "pretalx"; 332 + StateDirectory = [ 333 + "pretalx" 334 + "pretalx/media" 335 + ]; 336 + StateDirectoryMode = "0750"; 337 LogsDirectory = "pretalx"; 338 WorkingDirectory = cfg.settings.filesystem.data; 339 SupplementaryGroups = [ "redis-pretalx" ]; 340 + AmbientCapabilities = ""; 341 + CapabilityBoundingSet = [ "" ]; 342 + DevicePolicy = "closed"; 343 + LockPersonality = true; 344 + MemoryDenyWriteExecute = true; 345 + NoNewPrivileges = true; 346 + PrivateDevices = true; 347 + PrivateTmp = true; 348 + ProcSubset = "pid"; 349 + ProtectControlGroups = true; 350 + ProtectHome = true; 351 + ProtectHostname = true; 352 + ProtectKernelLogs = true; 353 + ProtectKernelModules = true; 354 + ProtectKernelTunables = true; 355 + ProtectProc = "invisible"; 356 + ProtectSystem = "strict"; 357 + RemoveIPC = true; 358 + RestrictAddressFamilies = [ 359 + "AF_INET" 360 + "AF_INET6" 361 + "AF_UNIX" 362 + ]; 363 + RestrictNamespaces = true; 364 + RestrictRealtime = true; 365 + RestrictSUIDSGID = true; 366 + SystemCallArchitectures = "native"; 367 + SystemCallFilter = [ 368 + "@system-service" 369 + "~@privileged" 370 + "@chown" 371 + ]; 372 + UMask = "0027"; 373 }; 374 }; 375 in { ··· 432 wantedBy = [ "multi-user.target" ]; 433 serviceConfig.ExecStart = "${lib.getExe' pythonEnv "celery"} -A pretalx.celery_app worker ${cfg.celery.extraArgs}"; 434 }); 435 + 436 + nginx.serviceConfig.SupplementaryGroups = lib.mkIf cfg.nginx.enable [ "pretalx" ]; 437 }; 438 439 systemd.sockets.pretalx-web.socketConfig = { ··· 442 }; 443 444 users = { 445 + groups.${cfg.group} = {}; 446 + users.${cfg.user} = { 447 isSystemUser = true; 448 inherit (cfg) group; 449 }; 450 };
+6 -6
nixos/modules/services/web-apps/pretix.nix
··· 468 StateDirectory = [ 469 "pretix" 470 ]; 471 - StateDirectoryMode = "0755"; 472 CacheDirectory = "pretix"; 473 LogsDirectory = "pretix"; 474 WorkingDirectory = cfg.settings.pretix.datadir; ··· 507 "~@privileged" 508 "@chown" 509 ]; 510 - UMask = "0022"; 511 }; 512 }; 513 in { ··· 561 wantedBy = [ "multi-user.target" ]; 562 serviceConfig.ExecStart = "${getExe' pythonEnv "celery"} -A pretix.celery_app worker ${cfg.celery.extraArgs}"; 563 }; 564 }; 565 566 systemd.sockets.pretix-web.socketConfig = { ··· 569 }; 570 571 users = { 572 - groups."${cfg.group}" = {}; 573 - users."${cfg.user}" = { 574 isSystemUser = true; 575 - createHome = true; 576 - home = cfg.settings.pretix.datadir; 577 inherit (cfg) group; 578 }; 579 };
··· 468 StateDirectory = [ 469 "pretix" 470 ]; 471 + StateDirectoryMode = "0750"; 472 CacheDirectory = "pretix"; 473 LogsDirectory = "pretix"; 474 WorkingDirectory = cfg.settings.pretix.datadir; ··· 507 "~@privileged" 508 "@chown" 509 ]; 510 + UMask = "0027"; 511 }; 512 }; 513 in { ··· 561 wantedBy = [ "multi-user.target" ]; 562 serviceConfig.ExecStart = "${getExe' pythonEnv "celery"} -A pretix.celery_app worker ${cfg.celery.extraArgs}"; 563 }; 564 + 565 + nginx.serviceConfig.SupplementaryGroups = mkIf cfg.nginx.enable [ "pretix" ]; 566 }; 567 568 systemd.sockets.pretix-web.socketConfig = { ··· 571 }; 572 573 users = { 574 + groups.${cfg.group} = {}; 575 + users.${cfg.user} = { 576 isSystemUser = true; 577 inherit (cfg) group; 578 }; 579 };
+4
nixos/tests/web-apps/pretalx.nix
··· 27 pretalx.wait_for_unit("pretalx-worker.service") 28 29 pretalx.wait_until_succeeds("curl -q --fail http://talks.local/orga/") 30 ''; 31 }
··· 27 pretalx.wait_for_unit("pretalx-worker.service") 28 29 pretalx.wait_until_succeeds("curl -q --fail http://talks.local/orga/") 30 + 31 + pretalx.succeed("pretalx-manage --help") 32 + 33 + pretalx.log(pretalx.succeed("systemd-analyze security pretalx-web.service")) 34 ''; 35 }
+1 -1
pkgs/by-name/pr/pretalx/package.nix
··· 42 homepage = "https://github.com/pretalx/pretalx"; 43 changelog = "https://docs.pretalx.org/en/latest/changelog.html"; 44 license = licenses.asl20; 45 - maintainers = teams.c3d2.members; 46 platforms = platforms.linux; 47 }; 48
··· 42 homepage = "https://github.com/pretalx/pretalx"; 43 changelog = "https://docs.pretalx.org/en/latest/changelog.html"; 44 license = licenses.asl20; 45 + maintainers = with maintainers; [ hexa] ++ teams.c3d2.members; 46 platforms = platforms.linux; 47 }; 48