From cf3b62e01e02806fdfc46dfc761ea20a67049bea Mon Sep 17 00:00:00 2001 From: h7x4 Date: Thu, 22 Aug 2024 22:58:48 +0200 Subject: [PATCH] bekkalokk/phpfpm-*: systemd hardening --- hosts/bekkalokk/configuration.nix | 1 + hosts/bekkalokk/services/phpfpm.nix | 51 +++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 hosts/bekkalokk/services/phpfpm.nix diff --git a/hosts/bekkalokk/configuration.nix b/hosts/bekkalokk/configuration.nix index bbc3c6b..ff2f1af 100644 --- a/hosts/bekkalokk/configuration.nix +++ b/hosts/bekkalokk/configuration.nix @@ -11,6 +11,7 @@ ./services/kerberos ./services/mediawiki ./services/nginx.nix + ./services/phpfpm.nix ./services/vaultwarden.nix ./services/webmail ./services/website diff --git a/hosts/bekkalokk/services/phpfpm.nix b/hosts/bekkalokk/services/phpfpm.nix new file mode 100644 index 0000000..d796ff7 --- /dev/null +++ b/hosts/bekkalokk/services/phpfpm.nix @@ -0,0 +1,51 @@ +{ lib, ... }: +let + pools = map (pool: "phpfpm-${pool}") [ + "idp" + "mediawiki" + "pvv-nettsiden" + "roundcube" + "snappymail" + ]; +in +{ + # Source: https://www.pierreblazquez.com/2023/06/17/how-to-harden-apache-php-fpm-daemons-using-systemd/ + systemd.services = lib.genAttrs pools (_: { + serviceConfig = let + caps = [ + "CAP_NET_BIND_SERVICE" + "CAP_SETGID" + "CAP_SETUID" + "CAP_CHOWN" + "CAP_KILL" + "CAP_IPC_LOCK" + "CAP_DAC_OVERRIDE" + ]; + in { + AmbientCapabilities = caps; + CapabilityBoundingSet = caps; + DeviceAllow = [ "" ]; + LockPersonality = true; + MemoryDenyWriteExecute = false; + NoNewPrivileges = true; + PrivateMounts = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RemoveIPC = true; + UMask = "0077"; + RestrictNamespaces = "~mnt"; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + KeyringMode = "private"; + SystemCallFilter = [ + "@system-service" + ]; + }; + }); +}