Unverified Commit 7da17ece authored by Martin Weinelt's avatar Martin Weinelt Committed by GitHub
Browse files

Merge pull request #310366 from mweinelt/pretix-pretalx-homemode 

pretix, pretalx: fixes, hardening
parents d51389b6 622af635

.github/CODEOWNERS

+3 −0
Original line number Diff line number Diff line
@@ -345,8 +345,11 @@ pkgs/development/tools/continuous-integration/buildbot @Mic92 @zowoq 


# Pretix

pkgs/by-name/pr/pretix/ @mweinelt

pkgs/by-name/pr/pretalx/ @mweinelt

nixos/modules/services/web-apps/pretix.nix @mweinelt

nixos/modules/services/web-apps/pretalx.nix @mweinelt

nixos/tests/web-apps/pretix.nix @mweinelt

nixos/tests/web-apps/pretalx.nix @mweinelt



# incus/lxc/lxd

nixos/maintainers/scripts/lxd/          @adamcstephens

nixos/modules/services/web-apps/pretalx.nix

+43 −6
Original line number Diff line number Diff line
@@ -24,7 +24,7 @@ in 


{

  meta = with lib; {

    maintainers = teams.c3d2.members;

    maintainers = with maintainers; [ hexa] ++ teams.c3d2.members;

  };



  options.services.pretalx = {
@@ -329,10 +329,47 @@ in 
        serviceConfig = {

          User = "pretalx";

          Group = "pretalx";

          StateDirectory = [ "pretalx" "pretalx/media" ];

          StateDirectory = [

            "pretalx"

            "pretalx/media"

          ];

          StateDirectoryMode = "0750";

          LogsDirectory = "pretalx";

          WorkingDirectory = cfg.settings.filesystem.data;

          SupplementaryGroups = [ "redis-pretalx" ];

          AmbientCapabilities = "";

          CapabilityBoundingSet = [ "" ];

          DevicePolicy = "closed";

          LockPersonality = true;

          MemoryDenyWriteExecute = true;

          NoNewPrivileges = true;

          PrivateDevices = true;

          PrivateTmp = true;

          ProcSubset = "pid";

          ProtectControlGroups = true;

          ProtectHome = true;

          ProtectHostname = true;

          ProtectKernelLogs = true;

          ProtectKernelModules = true;

          ProtectKernelTunables = true;

          ProtectProc = "invisible";

          ProtectSystem = "strict";

          RemoveIPC = true;

          RestrictAddressFamilies = [

            "AF_INET"

            "AF_INET6"

            "AF_UNIX"

          ];

          RestrictNamespaces = true;

          RestrictRealtime = true;

          RestrictSUIDSGID = true;

          SystemCallArchitectures = "native";

          SystemCallFilter = [

            "@system-service"

            "~@privileged"

            "@chown"

          ];

          UMask = "0027";

        };

      };

    in {
@@ -395,6 +432,8 @@ in 
        wantedBy = [ "multi-user.target" ];

        serviceConfig.ExecStart = "${lib.getExe' pythonEnv "celery"} -A pretalx.celery_app worker ${cfg.celery.extraArgs}";

      });



      nginx.serviceConfig.SupplementaryGroups = lib.mkIf cfg.nginx.enable [ "pretalx" ];

    };



    systemd.sockets.pretalx-web.socketConfig = {
@@ -403,11 +442,9 @@ in 
    };



    users = {

      groups."${cfg.group}" = {};

      users."${cfg.user}" = {

      groups.${cfg.group} = {};

      users.${cfg.user} = {

        isSystemUser = true;

        createHome = true;

        home = cfg.settings.filesystem.data;

        inherit (cfg) group;

      };

    };

nixos/modules/services/web-apps/pretix.nix

+6 −6
Original line number Diff line number Diff line
@@ -468,7 +468,7 @@ in 
          StateDirectory = [

            "pretix"

          ];

          StateDirectoryMode = "0755";

          StateDirectoryMode = "0750";

          CacheDirectory = "pretix";

          LogsDirectory = "pretix";

          WorkingDirectory = cfg.settings.pretix.datadir;
@@ -507,7 +507,7 @@ in 
            "~@privileged"

            "@chown"

          ];

          UMask = "0022";

          UMask = "0027";

        };

      };

    in {
@@ -561,6 +561,8 @@ in 
        wantedBy = [ "multi-user.target" ];

        serviceConfig.ExecStart = "${getExe' pythonEnv "celery"} -A pretix.celery_app worker ${cfg.celery.extraArgs}";

      };



      nginx.serviceConfig.SupplementaryGroups = mkIf cfg.nginx.enable [ "pretix" ];

    };



    systemd.sockets.pretix-web.socketConfig = {
@@ -569,11 +571,9 @@ in 
    };



    users = {

      groups."${cfg.group}" = {};

      users."${cfg.user}" = {

      groups.${cfg.group} = {};

      users.${cfg.user} = {

        isSystemUser = true;

        createHome = true;

        home = cfg.settings.pretix.datadir;

        inherit (cfg) group;

      };

    };

nixos/tests/web-apps/pretalx.nix

+4 −0
Original line number Diff line number Diff line
@@ -27,5 +27,9 @@ 
    pretalx.wait_for_unit("pretalx-worker.service")



    pretalx.wait_until_succeeds("curl -q --fail http://talks.local/orga/")



    pretalx.succeed("pretalx-manage --help")



    pretalx.log(pretalx.succeed("systemd-analyze security pretalx-web.service"))

  '';

}

pkgs/by-name/pr/pretalx/package.nix

+1 −1
Original line number Diff line number Diff line
@@ -42,7 +42,7 @@ let 
    homepage = "https://github.com/pretalx/pretalx";

    changelog = "https://docs.pretalx.org/en/latest/changelog.html";

    license = licenses.asl20;

    maintainers = teams.c3d2.members;

    maintainers = with maintainers; [ hexa] ++ teams.c3d2.members;

    platforms = platforms.linux;

  };