pyrox.dev / nixpkgs
lol
fork atom

services.meilisearch: restrict write paths and add hardening option RemoveIPC

6543 fcf00a6c 63ac62c2

+9 -1
unified split
+9 -1
nixos/modules/services/search/meilisearch.nix
··· 223 ); 224 225 serviceConfig = { 226 LoadCredential = lib.mkMerge ( 227 [ 228 (lib.mkIf (cfg.masterKeyFile != null) [ "master_key:${cfg.masterKeyFile}" ]) ··· 232 ) secrets-with-path 233 ); 234 ExecStart = "${lib.getExe cfg.package} --config-file-path \${RUNTIME_DIRECTORY}/config.toml"; 235 - DynamicUser = true; 236 StateDirectory = "meilisearch"; 237 WorkingDirectory = "%S/meilisearch"; 238 RuntimeDirectory = "meilisearch"; 239 RuntimeDirectoryMode = "0700"; 240 241 ProtectSystem = "strict"; 242 ProtectHome = true; ··· 255 RestrictSUIDSGID = true; 256 LockPersonality = true; 257 MemoryDenyWriteExecute = true; 258 259 # Meilisearch needs to determine cgroup memory limits to set its own memory limits. 260 # This means this can't be set to "pid"
··· 223 ); 224 225 serviceConfig = { 226 + Type = "simple"; 227 + DynamicUser = true; 228 + Restart = "always"; 229 LoadCredential = lib.mkMerge ( 230 [ 231 (lib.mkIf (cfg.masterKeyFile != null) [ "master_key:${cfg.masterKeyFile}" ]) ··· 235 ) secrets-with-path 236 ); 237 ExecStart = "${lib.getExe cfg.package} --config-file-path \${RUNTIME_DIRECTORY}/config.toml"; 238 StateDirectory = "meilisearch"; 239 WorkingDirectory = "%S/meilisearch"; 240 RuntimeDirectory = "meilisearch"; 241 RuntimeDirectoryMode = "0700"; 242 + ReadWritePaths = [ 243 + cfg.settings.db_path 244 + cfg.settings.dump_dir 245 + cfg.settings.snapshot_dir 246 + ]; 247 248 ProtectSystem = "strict"; 249 ProtectHome = true; ··· 262 RestrictSUIDSGID = true; 263 LockPersonality = true; 264 MemoryDenyWriteExecute = true; 265 + RemoveIPC = true; 266 267 # Meilisearch needs to determine cgroup memory limits to set its own memory limits. 268 # This means this can't be set to "pid"