Skip to content

Commit

Permalink
Merge pull request #98 from serokell/sereja/OPS-1161-harden-services
Browse files Browse the repository at this point in the history 
[OPS-1161] Harden systemd services
  • Loading branch information
@rvem
rvem authored May 6, 2024
2 parents 2d91373 + 45be7bb commit 1c2fbf3
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 0 deletions.
1 change: 1 addition & 0 deletions common.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
inputs.serokell-nix.nixosModules.serokell-users
inputs.vault-secrets.nixosModules.vault-secrets
inputs.serokell-nix.nixosModules.wireguard-monitoring
inputs.serokell-nix.lib.systemd.hardenServices
];

networking.domain = "gemini.serokell.team";
Expand Down
22 changes: 22 additions & 0 deletions servers/alzirr/deployment.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,28 @@ in
User = "sweater";
Group = "users";
ExecStart = "${swampwalk2-profile}/bin/swampwalk-server";

# hardening options
CapabilityBoundingSet = [
"CAP_CHOWN"
"CAP_SETUID"
"CAP_SETGID"
"CAP_FOWNER"
"CAP_DAC_OVERRIDE"
];
AmbientCapabilities = [ "" ];
DeviceAllow = "no";
KeyringMode = "private";
NotifyAccess = "none";
PrivateMounts = "yes";
PrivateTmp = "yes";
ProtectControlGroups = "yes";
ProtectProc = "invisible";
SupplementaryGroups = [ "" ];
Delegate = "no";
RemoveIPC = "yes";
UMask = "0027";
ProcSubset = "pid";
};
};

Expand Down

0 comments on commit 1c2fbf3

Please sign in to comment.