Compare commits

..

4 Commits

Author SHA1 Message Date
Alf Helge Jakobsen b07cd5fbf6 systemd hardening for pvv-nettsiden-gallery-update.service (!90)
#133

Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/90
Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
Co-authored-by: Alf Helge Jakobsen <alfhj@stud.ntnu.no>
Co-committed-by: Alf Helge Jakobsen <alfhj@stud.ntnu.no>
2024-11-09 22:22:09 +01:00
h7x4 464576e856
flake.lock: bump greg-ng 2024-11-09 19:43:07 +01:00
Oystein Kristoffer Tveit df35715978 Merge pull request 'Add alfhj.nix' (!89) from newusersconfig into main
Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/89
Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
2024-11-09 19:40:03 +01:00
Alf Helge Jakobsen 165ff56948 Add alfhj.nix 2024-11-09 19:35:19 +01:00
3 changed files with 44 additions and 4 deletions

View File

@ -28,11 +28,11 @@
"rust-overlay": "rust-overlay" "rust-overlay": "rust-overlay"
}, },
"locked": { "locked": {
"lastModified": 1729619392, "lastModified": 1730249639,
"narHash": "sha256-olNCSjGLN6W2aIjdMeFrV5gIDrAx8PbUhhiF7LcL+ms=", "narHash": "sha256-G3URSlqCcb+GIvGyki+HHrDM5ZanX/dP9BtppD/SdfI=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "355d2ad13d355225fbedf8bb08dc49e9b5f4b9f2", "rev": "80e0447bcb79adad4f459ada5610f3eae987b4e3",
"revCount": 31, "revCount": 34,
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Projects/greg-ng.git" "url": "https://git.pvv.ntnu.no/Projects/greg-ng.git"
}, },

View File

@ -62,6 +62,33 @@ in {
WorkingDirectory = galleryDir; WorkingDirectory = galleryDir;
User = config.services.pvv-nettsiden.user; User = config.services.pvv-nettsiden.user;
Group = config.services.pvv-nettsiden.group; Group = config.services.pvv-nettsiden.group;
AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true; # disable for third party rotate scripts
PrivateDevices = true;
PrivateNetwork = true; # disable for mail delivery
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true; # disable for userdir logs
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "full";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true; # disable for creating setgid directories
SocketBindDeny = [ "any" ];
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
];
}; };
}; };
} }

13
users/alfhj.nix Normal file
View File

@ -0,0 +1,13 @@
{pkgs, ...}:
{
users.users.alfhj = {
isNormalUser = true;
extraGroups = [ "wheel" ];
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMCAYE0U3sFizm/NSbKCs0jEhZ1mpAWPcijFevejiFL1 alfhj"
];
};
}