Unverified Commit 9afcf733 authored by Martin Weinelt's avatar Martin Weinelt
Browse files

nixos/pretix: update hardening 

- Transition from world-readable to group-readable UMask
- Remove world permissions from state directory
parent e2ccc754

nixos/modules/services/web-apps/pretix.nix

+4 −2
Original line number Diff line number Diff line
@@ -468,7 +468,7 @@ in 
          StateDirectory = [

            "pretix"

          ];

          StateDirectoryMode = "0755";

          StateDirectoryMode = "0750";

          CacheDirectory = "pretix";

          LogsDirectory = "pretix";

          WorkingDirectory = cfg.settings.pretix.datadir;
@@ -507,7 +507,7 @@ in 
            "~@privileged"

            "@chown"

          ];

          UMask = "0022";

          UMask = "0027";

        };

      };

    in {
@@ -561,6 +561,8 @@ in 
        wantedBy = [ "multi-user.target" ];

        serviceConfig.ExecStart = "${getExe' pythonEnv "celery"} -A pretix.celery_app worker ${cfg.celery.extraArgs}";

      };



      nginx.serviceConfig.SupplementaryGroups = mkIf cfg.nginx.enable [ "pretix" ];

    };



    systemd.sockets.pretix-web.socketConfig = {