some systemd hardening #67
|
@ -11,6 +11,7 @@
|
||||||
./services/kerberos
|
./services/kerberos
|
||||||
./services/mediawiki
|
./services/mediawiki
|
||||||
./services/nginx.nix
|
./services/nginx.nix
|
||||||
|
./services/phpfpm.nix
|
||||||
./services/vaultwarden.nix
|
./services/vaultwarden.nix
|
||||||
./services/webmail
|
./services/webmail
|
||||||
./services/website
|
./services/website
|
||||||
|
|
|
@ -0,0 +1,51 @@
|
||||||
|
{ lib, ... }:
|
||||||
|
let
|
||||||
|
pools = map (pool: "phpfpm-${pool}") [
|
||||||
|
"idp"
|
||||||
|
"mediawiki"
|
||||||
|
"pvv-nettsiden"
|
||||||
|
"roundcube"
|
||||||
|
"snappymail"
|
||||||
|
];
|
||||||
|
in
|
||||||
|
{
|
||||||
|
# Source: https://www.pierreblazquez.com/2023/06/17/how-to-harden-apache-php-fpm-daemons-using-systemd/
|
||||||
|
systemd.services = lib.genAttrs pools (_: {
|
||||||
|
serviceConfig = let
|
||||||
|
caps = [
|
||||||
|
"CAP_NET_BIND_SERVICE"
|
||||||
|
"CAP_SETGID"
|
||||||
|
"CAP_SETUID"
|
||||||
|
"CAP_CHOWN"
|
||||||
|
"CAP_KILL"
|
||||||
|
"CAP_IPC_LOCK"
|
||||||
|
"CAP_DAC_OVERRIDE"
|
||||||
|
];
|
||||||
|
in {
|
||||||
|
AmbientCapabilities = caps;
|
||||||
|
CapabilityBoundingSet = caps;
|
||||||
|
DeviceAllow = [ "" ];
|
||||||
|
LockPersonality = true;
|
||||||
|
MemoryDenyWriteExecute = false;
|
||||||
|
NoNewPrivileges = true;
|
||||||
|
PrivateMounts = true;
|
||||||
|
ProtectClock = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
ProtectHome = true;
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
RemoveIPC = true;
|
||||||
|
UMask = "0077";
|
||||||
|
RestrictNamespaces = "~mnt";
|
||||||
|
RestrictRealtime = true;
|
||||||
|
RestrictSUIDSGID = true;
|
||||||
|
SystemCallArchitectures = "native";
|
||||||
|
KeyringMode = "private";
|
||||||
|
SystemCallFilter = [
|
||||||
|
"@system-service"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
});
|
||||||
|
}
|
Loading…
Reference in New Issue