pyrox.dev / nixpkgs
lol
fork atom

nixos/alps: add hardening, extensible options, test

Henri Menke aeb5a692 46988950

+112 -9
+43 -9
nixos/modules/services/web-apps/alps.nix
··· 70 70 ''; 71 71 }; 72 72 }; 73 + 74 + package = mkOption { 75 + internal = true; 76 + type = types.package; 77 + default = pkgs.alps; 78 + }; 79 + 80 + args = mkOption { 81 + internal = true; 82 + type = types.listOf types.str; 83 + default = [ 84 + "-addr" "${cfg.bindIP}:${toString cfg.port}" 85 + "-theme" "${cfg.theme}" 86 + "imaps://${cfg.imaps.host}:${toString cfg.imaps.port}" 87 + "smpts://${cfg.smtps.host}:${toString cfg.smtps.port}" 88 + ]; 89 + }; 73 90 }; 74 91 75 92 config = mkIf cfg.enable { ··· 80 97 after = [ "network.target" "network-online.target" ]; 81 98 82 99 serviceConfig = { 83 - ExecStart = '' 84 - ${pkgs.alps}/bin/alps \ 85 - -addr ${cfg.bindIP}:${toString cfg.port} \ 86 - -theme ${cfg.theme} \ 87 - imaps://${cfg.imaps.host}:${toString cfg.imaps.port} \ 88 - smpts://${cfg.smtps.host}:${toString cfg.smtps.port} 89 - ''; 90 - StateDirectory = "alps"; 91 - WorkingDirectory = "/var/lib/alps"; 100 + ExecStart = "${cfg.package}/bin/alps ${escapeShellArgs cfg.args}"; 92 101 DynamicUser = true; 102 + ## This is desirable but would restrict bindIP to 127.0.0.1 103 + #IPAddressAllow = "localhost"; 104 + #IPAddressDeny = "any"; 105 + LockPersonality = true; 106 + NoNewPrivileges = true; 107 + PrivateDevices = true; 108 + PrivateIPC = true; 109 + PrivateTmp = true; 110 + PrivateUsers = true; 111 + ProtectClock = true; 112 + ProtectControlGroups = true; 113 + ProtectHome = true; 114 + ProtectHostname = true; 115 + ProtectKernelLogs = true; 116 + ProtectKernelModules = true; 117 + ProtectKernelTunables = true; 118 + ProtectProc = "invisible"; 119 + ProtectSystem = "strict"; 120 + RemoveIPC = true; 121 + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; 122 + RestrictNamespaces = true; 123 + RestrictRealtime = true; 124 + RestrictSUIDSGID = true; 125 + SystemCallArchitectures = "native"; 126 + SystemCallFilter = [ "@system-service @resources" "~@privileged @obsolete" ]; 93 127 }; 94 128 }; 95 129 };
+1
nixos/tests/all-tests.nix
··· 74 74 agda = handleTest ./agda.nix {}; 75 75 airsonic = handleTest ./airsonic.nix {}; 76 76 allTerminfo = handleTest ./all-terminfo.nix {}; 77 + alps = handleTest ./alps.nix {}; 77 78 amazon-init-shell = handleTest ./amazon-init-shell.nix {}; 78 79 apfs = handleTest ./apfs.nix {}; 79 80 apparmor = handleTest ./apparmor.nix {};
+68
nixos/tests/alps.nix
··· 1 + let 2 + certs = import ./common/acme/server/snakeoil-certs.nix; 3 + domain = certs.domain; 4 + in 5 + import ./make-test-python.nix { 6 + name = "alps"; 7 + 8 + nodes = { 9 + server = { 10 + imports = [ ./common/user-account.nix ]; 11 + security.pki.certificateFiles = [ 12 + certs.ca.cert 13 + ]; 14 + networking.extraHosts = '' 15 + 127.0.0.1 ${domain} 16 + ''; 17 + networking.firewall.allowedTCPPorts = [ 25 465 993 ]; 18 + services.postfix = { 19 + enable = true; 20 + enableSubmission = true; 21 + enableSubmissions = true; 22 + tlsTrustedAuthorities = "${certs.ca.cert}"; 23 + sslCert = "${certs.${domain}.cert}"; 24 + sslKey = "${certs.${domain}.key}"; 25 + }; 26 + services.dovecot2 = { 27 + enable = true; 28 + enableImap = true; 29 + sslCACert = "${certs.ca.cert}"; 30 + sslServerCert = "${certs.${domain}.cert}"; 31 + sslServerKey = "${certs.${domain}.key}"; 32 + }; 33 + }; 34 + 35 + client = { nodes, ... }: { 36 + security.pki.certificateFiles = [ 37 + certs.ca.cert 38 + ]; 39 + networking.extraHosts = '' 40 + ${nodes.server.config.networking.primaryIPAddress} ${domain} 41 + ''; 42 + services.alps = { 43 + enable = true; 44 + theme = "alps"; 45 + imaps = { 46 + host = domain; 47 + port = 993; 48 + }; 49 + smtps = { 50 + host = domain; 51 + port = 465; 52 + }; 53 + }; 54 + }; 55 + }; 56 + 57 + testScript = '' 58 + server.start() 59 + server.wait_for_unit("postfix.service") 60 + server.wait_for_unit("dovecot2.service") 61 + server.wait_for_open_port(465) 62 + server.wait_for_open_port(993) 63 + 64 + client.start() 65 + client.wait_for_unit("alps.service") 66 + client.wait_until_succeeds("curl -fvvv -s http://127.0.0.1:1323/", timeout=60) 67 + ''; 68 + }