diff --git a/base.nix b/base.nix index 4b1e171..37d8a4d 100644 --- a/base.nix +++ b/base.nix @@ -82,6 +82,47 @@ (!config.boot.isContainer or false) ]) true; + systemd.services.thermald = lib.mkIf config.services.thermald.enable { + documentation = [ "man:thermald(8)" "man:thermal-conf.xml(5)" ]; + unitConfig.ConditionVirtualization = "no"; + + serviceConfig = { + PrivateUsers = true; + PrivateNetwork = true; + + # AmbientCapabilities = [ "" ]; + # CapabilityBoundingSet = [ "" ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + # PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = "yes"; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; #? + ProtectProc = "invisible"; #? + ProtectSystem = "strict"; + RemoveIPC = true; + UMask = "0777"; + RestrictNamespaces = true; + # RestrictRealtime = true; #? + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SocketBindDeny = [ "any" ]; + SystemCallFilter = [ + "@system-service" + "~@privileged" + "~@resources" + ]; + }; + }; + services.openssh = { enable = true; extraConfig = '' @@ -133,6 +174,49 @@ extraConfig = "return 444;"; }; + # TODO: upstream + # source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service + systemd.services.logrotate = { + documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ]; + unitConfig.RequiresMountsFor = "/var/log"; + serviceConfig = { + Nice = 19; + IOSchedulingClass = "best-effort"; + IOSchedulingPriority = 7; + + ReadWritePaths = [ "/var/log" ]; + + AmbientCapabilities = [ "" ]; + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "" ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; # disable for third party rotate scripts + PrivateDevices = true; + PrivateNetwork = true; # disable for mail delivery + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; # disable for userdir logs + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "full"; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; # disable for creating setgid directories + SocketBindDeny = [ "any" ]; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + # "~@privileged" + # "~@resources" + ]; + }; + }; + networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ]; security.acme = { diff --git a/hosts/bekkalokk/configuration.nix b/hosts/bekkalokk/configuration.nix index bbc3c6b..ff2f1af 100644 --- a/hosts/bekkalokk/configuration.nix +++ b/hosts/bekkalokk/configuration.nix @@ -11,6 +11,7 @@ ./services/kerberos ./services/mediawiki ./services/nginx.nix + ./services/phpfpm.nix ./services/vaultwarden.nix ./services/webmail ./services/website diff --git a/hosts/bekkalokk/services/phpfpm.nix b/hosts/bekkalokk/services/phpfpm.nix new file mode 100644 index 0000000..862dd1d --- /dev/null +++ b/hosts/bekkalokk/services/phpfpm.nix @@ -0,0 +1,53 @@ +{ lib, ... }: +let + pools = map (pool: "phpfpm-${pool}") [ + "idp" + "mediawiki" + "pvv-nettsiden" + "roundcube" + "snappymail" + ]; +in +{ + # Source: https://www.pierreblazquez.com/2023/06/17/how-to-harden-apache-php-fpm-daemons-using-systemd/ + systemd.services = lib.genAttrs pools (_: { + serviceConfig = let + caps = [ + "CAP_NET_BIND_SERVICE" + "CAP_SETGID" + "CAP_SETUID" + "CAP_CHOWN" + "CAP_KILL" + "CAP_IPC_LOCK" + "CAP_DAC_OVERRIDE" + ]; + in { + AmbientCapabilities = caps; + CapabilityBoundingSet = caps; + DeviceAllow = [ "" ]; + LockPersonality = true; + MemoryDenyWriteExecute = false; + NoNewPrivileges = true; + PrivateMounts = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; # Needed to read passwords from /run maybe? + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RemoveIPC = true; + UMask = "0077"; + RestrictNamespaces = "~mnt"; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + KeyringMode = "private"; + SystemCallFilter = [ + "@system-service" + # "~@privileged" + # "~@resources" + ]; + }; + }); +} diff --git a/hosts/bekkalokk/services/vaultwarden.nix b/hosts/bekkalokk/services/vaultwarden.nix index 13722ce..53cad4a 100644 --- a/hosts/bekkalokk/services/vaultwarden.nix +++ b/hosts/bekkalokk/services/vaultwarden.nix @@ -65,4 +65,42 @@ in { proxyWebsockets = true; }; }; + + systemd.services.vaultwarden = lib.mkIf cfg.enable { + serviceConfig = { + AmbientCapabilities = [ "" ]; + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "" ]; + # IPAddressDeny = [ "any" ]; + # IPAddressAllow = [ ]; + LockPersonality = true; + NoNewPrivileges = true; + # MemoryDenyWriteExecute = true; + PrivateMounts = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + ]; + RemoveIPC = true; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; + UMask = "0007"; + }; + }; }