systemd hardening for pvv-nettsiden-gallery-update.service (!90 )

#133 Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/90 Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Co-authored-by: Alf Helge Jakobsen <alfhj@stud.ntnu.no> Co-committed-by: Alf Helge Jakobsen <alfhj@stud.ntnu.no>
flake.lock: bump greg-ng
2024-11-09 22:22:09 +01:00 · 2024-11-09 19:43:07 +01:00 · 2024-11-09 19:40:03 +01:00 · 2024-11-09 19:35:19 +01:00
3 changed files with 44 additions and 4 deletions
--- a/flake.lock
+++ b/flake.lock
@ -28,11 +28,11 @@
        "rust-overlay": "rust-overlay"
      },
      "locked": {
-        "lastModified": 1729619392,
+        "lastModified": 1730249639,
-        "narHash": "sha256-olNCSjGLN6W2aIjdMeFrV5gIDrAx8PbUhhiF7LcL+ms=",
+        "narHash": "sha256-G3URSlqCcb+GIvGyki+HHrDM5ZanX/dP9BtppD/SdfI=",
        "ref": "refs/heads/main",
-        "rev": "355d2ad13d355225fbedf8bb08dc49e9b5f4b9f2",
+        "rev": "80e0447bcb79adad4f459ada5610f3eae987b4e3",
-        "revCount": 31,
+        "revCount": 34,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/greg-ng.git"
      },
--- a/hosts/bekkalokk/services/website/fetch-gallery.nix
+++ b/hosts/bekkalokk/services/website/fetch-gallery.nix
@ -62,6 +62,33 @@ in {
      WorkingDirectory = galleryDir;
      User = config.services.pvv-nettsiden.user;
      Group = config.services.pvv-nettsiden.group;
      AmbientCapabilities = [ "" ];
      CapabilityBoundingSet = [ "" ];
      DeviceAllow = [ "" ];
      LockPersonality = true;
      MemoryDenyWriteExecute = true;
      NoNewPrivileges = true; # disable for third party rotate scripts
      PrivateDevices = true;
      PrivateNetwork = true; # disable for mail delivery
      PrivateTmp = true;
      ProtectClock = true;
      ProtectControlGroups = true;
      ProtectHome = true; # disable for userdir logs
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      ProtectProc = "invisible";
      ProtectSystem = "full";
      RestrictNamespaces = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true; # disable for creating setgid directories
      SocketBindDeny = [ "any" ];
      SystemCallArchitectures = "native";
      SystemCallFilter = [
        "@system-service"
      ];
    };
  };
 }
--- a/users/alfhj.nix
+++ b/users/alfhj.nix
@ -0,0 +1,13 @@
 {pkgs, ...}:
 {
  users.users.alfhj = {
    isNormalUser = true;
    extraGroups = [ "wheel" ];
    shell = pkgs.zsh;
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMCAYE0U3sFizm/NSbKCs0jEhZ1mpAWPcijFevejiFL1 alfhj"
    ];
  };
 }
Author	SHA1	Message	Date
Alf Helge Jakobsen	b07cd5fbf6	systemd hardening for pvv-nettsiden-gallery-update.service (!90 ) #133 Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/90 Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Co-authored-by: Alf Helge Jakobsen <alfhj@stud.ntnu.no> Co-committed-by: Alf Helge Jakobsen <alfhj@stud.ntnu.no>	2024-11-09 22:22:09 +01:00
h7x4	464576e856	flake.lock: bump greg-ng	2024-11-09 19:43:07 +01:00
Oystein Kristoffer Tveit	df35715978	Merge pull request 'Add alfhj.nix' (!89 ) from newusersconfig into main Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/89 Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>	2024-11-09 19:40:03 +01:00
Alf Helge Jakobsen	165ff56948	Add alfhj.nix	2024-11-09 19:35:19 +01:00