nixos/prometheus: Harden alertmanager/webhook-logger/pushgateway systemd definitions (008ea185) · Commits · mdf / nixpkgs

nixos/modules/services/monitoring/prometheus/alertmanager-webhook-logger.nix

+11 −0

Original line number	Diff line number	Diff line
		@@ -32,9 +32,15 @@ in
		${escapeShellArgs cfg.extraFlags}
		'';

		CapabilityBoundingSet = [ "" ];
		DeviceAllow = [ "" ];
		DynamicUser = true;
		NoNewPrivileges = true;

		MemoryDenyWriteExecute = true;

		LockPersonality = true;

		ProtectProc = "invisible";
		ProtectSystem = "strict";
		ProtectHome = "tmpfs";
		@@ -43,6 +49,8 @@ in
		PrivateDevices = true;
		PrivateIPC = true;

		ProcSubset = "pid";

		ProtectHostname = true;
		ProtectClock = true;
		ProtectKernelTunables = true;
		@@ -50,7 +58,10 @@ in
		ProtectKernelLogs = true;
		ProtectControlGroups = true;

		Restart = "on-failure";

		RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
		RestrictNamespaces = true;
		RestrictRealtime = true;
		RestrictSUIDSGID = true;

+47 −5

Original line number	Diff line number	Diff line
		@@ -181,15 +181,57 @@ in {
		-i "${alertmanagerYml}"
		'';
		serviceConfig = {
		Restart = "always";
		StateDirectory = "alertmanager";
		DynamicUser = true; # implies PrivateTmp
		EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile;
		WorkingDirectory = "/tmp";
		ExecStart = "${cfg.package}/bin/alertmanager" +
		optionalString (length cmdlineArgs != 0) (" \\\n " +
		concatStringsSep " \\\n " cmdlineArgs);
		ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";

		EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile;

		CapabilityBoundingSet = [ "" ];
		DeviceAllow = [ "" ];
		DynamicUser = true;
		NoNewPrivileges = true;

		MemoryDenyWriteExecute = true;

		LockPersonality = true;

		ProtectProc = "invisible";
		ProtectSystem = "strict";
		ProtectHome = "tmpfs";

		PrivateTmp = true;
		PrivateDevices = true;
		PrivateIPC = true;

		ProcSubset = "pid";

		ProtectHostname = true;
		ProtectClock = true;
		ProtectKernelTunables = true;
		ProtectKernelModules = true;
		ProtectKernelLogs = true;
		ProtectControlGroups = true;

		Restart = "always";

		RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" ];
		RestrictNamespaces = true;
		RestrictRealtime = true;
		RestrictSUIDSGID = true;

		StateDirectory = "alertmanager";
		SystemCallFilter = [
		"@system-service"
		"~@cpu-emulation"
		"~@privileged"
		"~@reboot"
		"~@setuid"
		"~@swap"
		];

		WorkingDirectory = "/tmp";
		};
		};
		})

+42 −2

Original line number	Diff line number	Diff line
		@@ -147,12 +147,52 @@ in {
		wantedBy = [ "multi-user.target" ];
		after = [ "network.target" ];
		serviceConfig = {
		Restart = "always";
		DynamicUser = true;
		ExecStart = "${cfg.package}/bin/pushgateway" +
		optionalString (length cmdlineArgs != 0) (" \\\n " +
		concatStringsSep " \\\n " cmdlineArgs);

		CapabilityBoundingSet = [ "" ];
		DeviceAllow = [ "" ];
		DynamicUser = true;
		NoNewPrivileges = true;

		MemoryDenyWriteExecute = true;

		LockPersonality = true;

		ProtectProc = "invisible";
		ProtectSystem = "strict";
		ProtectHome = "tmpfs";

		PrivateTmp = true;
		PrivateDevices = true;
		PrivateIPC = true;

		ProcSubset = "pid";

		ProtectHostname = true;
		ProtectClock = true;
		ProtectKernelTunables = true;
		ProtectKernelModules = true;
		ProtectKernelLogs = true;
		ProtectControlGroups = true;

		Restart = "always";

		RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
		RestrictNamespaces = true;
		RestrictRealtime = true;
		RestrictSUIDSGID = true;

		StateDirectory = if cfg.persistMetrics then cfg.stateDir else null;
		SystemCallFilter = [
		"@system-service"
		"~@cpu-emulation"
		"~@privileged"
		"~@reboot"
		"~@setuid"
		"~@swap"
		];
		};
		};
		};