colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

kiwix-serve: harden

Browse Source
This commit is contained in:
Colin
2024-07-28 23:19:21 +00:00
parent 6a9fd04437
commit 43232ff569
1 changed files with 32 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
modules/services/kiwix-serve.nix
View File

@@ -39,17 +39,41 @@ in
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
systemd.services.kiwix-serve = { systemd.services.kiwix-serve = let
description = "Deliver ZIM file(s) articles via HTTP";
serviceConfig = let
maybeListenAddress = lib.optionals (cfg.listenAddress != null) ["-l" cfg.listenAddress]; maybeListenAddress = lib.optionals (cfg.listenAddress != null) ["-l" cfg.listenAddress];
args = maybeListenAddress ++ ["-p" cfg.port] ++ cfg.zimPaths; args = maybeListenAddress ++ ["-p" cfg.port] ++ cfg.zimPaths;
in { in {
ExecStart = "${cfg.package}/bin/kiwix-serve ${lib.escapeShellArgs args}"; description = "Deliver ZIM file(s) articles via HTTP";
Type = "simple"; serviceConfig.ExecStart = "${cfg.package}/bin/kiwix-serve ${lib.escapeShellArgs args}";
}; serviceConfig.Type = "simple";
after = [ "network.target" ]; after = [ "network.target" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
# hardening (systemd-analyze security kiwix-serve)
serviceConfig.LockPersonality = true;
serviceConfig.MemoryDenyWriteExecute = true;
serviceConfig.NoNewPrivileges = true;
serviceConfig.PrivateDevices = true;
serviceConfig.PrivateMounts = true;
serviceConfig.PrivateTmp = true;
serviceConfig.PrivateUsers = true;
serviceConfig.ProcSubset = "pid";
serviceConfig.ProtectClock = true;
serviceConfig.ProtectControlGroups = true;
serviceConfig.ProtectHome = true;
serviceConfig.ProtectHostname = true;
serviceConfig.ProtectKernelLogs = true;
serviceConfig.ProtectKernelModules = true;
serviceConfig.ProtectKernelTunables = true;
serviceConfig.ProtectProc = "invisible";
serviceConfig.ProtectSystem = "strict";
serviceConfig.RemoveIPC = true;
serviceConfig.ReadPaths = cfg.zimPaths;
serviceConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
serviceConfig.RestrictNamespaces = true;
serviceConfig.RestrictSUIDSGID = true;
serviceConfig.SystemCallArchitectures = "native";
serviceConfig.SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
}; };
}; };
} }