54 lines
1.3 KiB
Nix
54 lines
1.3 KiB
Nix
{ lib, ... }:
|
|
let
|
|
pools = map (pool: "phpfpm-${pool}") [
|
|
"idp"
|
|
"mediawiki"
|
|
"pvv-nettsiden"
|
|
"roundcube"
|
|
"snappymail"
|
|
];
|
|
in
|
|
{
|
|
# Source: https://www.pierreblazquez.com/2023/06/17/how-to-harden-apache-php-fpm-daemons-using-systemd/
|
|
systemd.services = lib.genAttrs pools (_: {
|
|
serviceConfig = let
|
|
caps = [
|
|
"CAP_NET_BIND_SERVICE"
|
|
"CAP_SETGID"
|
|
"CAP_SETUID"
|
|
"CAP_CHOWN"
|
|
"CAP_KILL"
|
|
"CAP_IPC_LOCK"
|
|
"CAP_DAC_OVERRIDE"
|
|
];
|
|
in {
|
|
AmbientCapabilities = caps;
|
|
CapabilityBoundingSet = caps;
|
|
DeviceAllow = [ "" ];
|
|
LockPersonality = true;
|
|
MemoryDenyWriteExecute = false;
|
|
NoNewPrivileges = true;
|
|
PrivateMounts = true;
|
|
ProtectClock = true;
|
|
ProtectControlGroups = true;
|
|
ProtectHome = true; # Needed to read passwords from /run maybe?
|
|
ProtectHostname = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectKernelModules = true;
|
|
ProtectKernelTunables = true;
|
|
RemoveIPC = true;
|
|
UMask = "0077";
|
|
RestrictNamespaces = "~mnt";
|
|
RestrictRealtime = true;
|
|
RestrictSUIDSGID = true;
|
|
SystemCallArchitectures = "native";
|
|
KeyringMode = "private";
|
|
SystemCallFilter = [
|
|
"@system-service"
|
|
# "~@privileged"
|
|
# "~@resources"
|
|
];
|
|
};
|
|
});
|
|
}
|