From dc79a237b3b7c4937ab253a359f09a37892f102e Mon Sep 17 00:00:00 2001 From: h7x4 Date: Mon, 18 Nov 2024 15:18:52 +0100 Subject: [PATCH] tsuki: fixes for nixos 24.11 --- hosts/tsuki/services/postgres.nix | 27 +----------------- hosts/tsuki/services/samba.nix | 42 ++++++++++------------------ hosts/tsuki/services/vaultwarden.nix | 33 ---------------------- 3 files changed, 16 insertions(+), 86 deletions(-) diff --git a/hosts/tsuki/services/postgres.nix b/hosts/tsuki/services/postgres.nix index c11d904..b6e95f4 100644 --- a/hosts/tsuki/services/postgres.nix +++ b/hosts/tsuki/services/postgres.nix @@ -48,32 +48,7 @@ in { requires = [ "postgresql.service" ]; }; - systemd.services.postgresql = { - serviceConfig = { - Restart = "always"; - RestartSec = 3; - ReadWritePaths = [ cfg.dataDir ]; - NoNewPrivileges = true; - PrivateDevices = true; - ProtectClock = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - # PrivateMounts = true; - RestrictSUIDSGID = true; - ProtectHostname = true; - LockPersonality = true; - ProtectKernelTunables = true; - ProtectSystem = "strict"; - ProtectProc = "invisible"; - ProtectHome = true; - # PrivateNetwork = true; - PrivateUsers = true; - PrivateTmp = true; - UMask = "0077"; - # RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ]; - SystemCallArchitectures = "native"; - }; - }; + systemd.services.postgresql.serviceConfig.ReadWritePaths = [ cfg.dataDir ]; environment.systemPackages = [ config.services.postgresql.package ]; } diff --git a/hosts/tsuki/services/samba.nix b/hosts/tsuki/services/samba.nix index 81c4ad0..540ff56 100644 --- a/hosts/tsuki/services/samba.nix +++ b/hosts/tsuki/services/samba.nix @@ -5,26 +5,25 @@ enable = true; # openFirewall = true; - extraConfig = '' - workgroup = TSUKI - server string = smbnix - netbios name = smbnix + settings = { + global = { + "workgroup" = "TSUKI"; + "server string" = "smbnix"; + "netbios name" = "smbnix"; - security = user + "security" = "user"; - use sendfile = yes - min protocol = SMB2 - smb encrypt = desired + "use sendfile" = "yes"; + "min protocol" = "SMB2"; + "smb encrypt" = "desired"; - # note: localhost is the ipv6 localhost ::1 - hosts allow = 100.107.69.8 100.100.65.88 - hosts deny = 0.0.0.0/0 + # note: localhost is the ipv6 localhost ::1 + "hosts allow" = "100.107.69.8 100.100.65.88"; + "hosts deny" = "0.0.0.0/0"; - guest ok = no - map to guest = never - ''; - - shares = { + "guest ok" = "no"; + "map to guest" = "never"; + }; cirno = { path = "/data/cirno"; browseable = "yes"; @@ -66,15 +65,4 @@ networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ 139 445 ]; networking.firewall.interfaces."tailscale0".allowedUDPPorts = [ 137 138 ]; - - - systemd.slices.system-samba = { - description = "Samba slice"; - after = [ "system.slice" ]; - requires = [ "system.slice" ]; - }; - - systemd.services.samba-smbd.serviceConfig.Slice = "system-samba.slice"; - systemd.services.samba-nmbd.serviceConfig.Slice = "system-samba.slice"; - systemd.services.samba-winbindd.serviceConfig.Slice = "system-samba.slice"; } diff --git a/hosts/tsuki/services/vaultwarden.nix b/hosts/tsuki/services/vaultwarden.nix index 2c1464c..6736668 100644 --- a/hosts/tsuki/services/vaultwarden.nix +++ b/hosts/tsuki/services/vaultwarden.nix @@ -21,39 +21,6 @@ in { systemd.services.vaultwarden = lib.mkIf cfg.enable { requires = [ "postgresql.service" ]; - - serviceConfig = { - # Extra hardening - CapabilityBoundingSet = ""; - LockPersonality = true; - NoNewPrivileges = true; - # MemoryDenyWriteExecute = true; - PrivateMounts = true; - PrivateUsers = true; - ProcSubset = "pid"; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - RestrictAddressFamilies = [ - "AF_INET" - "AF_INET6" - "AF_UNIX" - ]; - RemoveIPC = true; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; - SystemCallFilter = [ - "@system-service" - "~@privileged" - ]; - UMask = "0007"; - }; }; services.postgresql = lib.mkIf cfg.enable {