Commit be1336d8 authored by gaykitty's avatar gaykitty
Browse files

nixos/stargazer: harden systemd service

parent 77430d38

nixos/doc/manual/release-notes/rl-2411.section.md

+6 −0
Original line number Diff line number Diff line
@@ -235,6 +235,12 @@ 
  for `stateVersion` ≥ 24.11. (It was previously using SQLite for structured

  data and the filesystem for blobs).



- The `stargazer` service has been hardened to improve security, but these

  changes make break certain setups, particularly around traditional CGI.



  - The `stargazer.allowCgiUser` option has been added, enabling

    Stargazer's `cgi-user` option to work, which was previously broken.



- The `shiori` service now requires an HTTP secret value `SHIORI_HTTP_SECRET_KEY` to be provided via environment variable. The nixos module therefore, now provides an environmentFile option:



  ```

nixos/modules/services/web-servers/stargazer.nix

+38 −0
Original line number Diff line number Diff line
@@ -225,6 +225,44 @@ in 
          "CAP_SETGID"

          "CAP_SETUID"

        ];



        # Hardening

        UMask = "0077";

        PrivateTmp = true;

        ProtectHome = true;

        ProtectSystem = "full";

        ProtectClock = true;

        ProtectHostname = true;

        ProtectControlGroups = true;

        ProtectKernelLogs = true;

        ProtectKernelModules = true;

        ProtectKernelTunables = true;

        ProtectProc = "invisible";

        PrivateDevices = true;

        NoNewPrivileges = true;

        RestrictSUIDSGID = true;

        PrivateMounts = true;

        MemoryDenyWriteExecute = true;

        LockPersonality = true;

        RestrictRealtime = true;

        RemoveIPC = true;

        CapabilityBoundingSet = [

          "~CAP_SYS_PTRACE"

          "~CAP_SYS_ADMIN"

          "~CAP_SETPCAP"

          "~CAP_SYS_TIME"

          "~CAP_SYS_PACCT"

          "~CAP_SYS_TTY_CONFIG "

          "~CAP_SYS_CHROOT"

          "~CAP_SYS_BOOT"

          "~CAP_NET_ADMIN"

        ] ++ lib.lists.optional (!cfg.allowCgiUser) [

          "~CAP_SETGID"

          "~CAP_SETUID"

        ];

        SystemCallArchitectures = "native";

        SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete" ]

          ++ lib.lists.optional (!cfg.allowCgiUser) [ "@privileged @setuid" ];

      };

    };

nixos/tests/web-servers/stargazer.nix

+0 −2
Original line number Diff line number Diff line
@@ -145,8 +145,6 @@ in 
    geminiserver.wait_for_unit("scgi_server")

    geminiserver.wait_for_open_port(1099)

    geminiserver.wait_for_unit("stargazer")

    geminiserver.wait_for_unit("stargazer")

    cgiTestServer.wait_for_open_port(1965)

    cgiTestServer.wait_for_open_port(1965)



    with subtest("stargazer test suite"):