pyrox.dev
lol
nixos/nebula: harden systemd unit
+22
-1
+22
-1
nixos/modules/services/networking/nebula.nix
+22
-1
nixos/modules/services/networking/nebula.nix
···
204
204
Type = "simple";
205
205
Restart = "always";
206
206
ExecStart = "${netCfg.package}/bin/nebula -config ${configFile}";
207
+
UMask = "0027";
207
208
CapabilityBoundingSet = "CAP_NET_ADMIN";
208
209
AmbientCapabilities = "CAP_NET_ADMIN";
210
+
LockPersonality = true;
211
+
NoNewPrivileges = true;
212
+
PrivateDevices = false; # needs access to /dev/net/tun (below)
213
+
DeviceAllow = "/dev/net/tun rw";
214
+
DevicePolicy = "closed";
215
+
PrivateTmp = true;
216
+
PrivateUsers = false; # CapabilityBoundingSet needs to apply to the host namespace
217
+
ProtectClock = true;
218
+
ProtectControlGroups = true;
219
+
ProtectHome = true;
220
+
ProtectHostname = true;
221
+
ProtectKernelLogs = true;
222
+
ProtectKernelModules = true;
223
+
ProtectKernelTunables = true;
224
+
ProtectProc = "invisible";
225
+
ProtectSystem = "strict";
226
+
RestrictNamespaces = true;
227
+
RestrictSUIDSGID = true;
209
228
User = networkId;
210
229
Group = networkId;
211
230
};
···
227
246
};
228
247
}) enabledNetworks);
229
248
230
-
users.groups = mkMerge (mapAttrsToList (netName: netCfg: { ${nameToId netName} = {}; }) enabledNetworks);
249
+
users.groups = mkMerge (mapAttrsToList (netName: netCfg: {
250
+
${nameToId netName} = {};
251
+
}) enabledNetworks);
231
252
};
232
253
}