summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2022-03-01 12:29:58 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2022-03-01 12:29:58 +0100
commiteb2bfa6a42c3435bbe5565a0eb74bd9802f8be9d (patch)
tree03c9f1c79e56eed00ca03c8891fb9e5c42bb8f23
parent3170a30f7dee00376af1e4e4d5229a6045a78388 (diff)
downloadnixos-eb2bfa6a42c3435bbe5565a0eb74bd9802f8be9d.tar
nixos-eb2bfa6a42c3435bbe5565a0eb74bd9802f8be9d.tar.gz
nixos-eb2bfa6a42c3435bbe5565a0eb74bd9802f8be9d.tar.bz2
nixos-eb2bfa6a42c3435bbe5565a0eb74bd9802f8be9d.tar.xz
nixos-eb2bfa6a42c3435bbe5565a0eb74bd9802f8be9d.zip
surtr: matrix: isolation
-rw-r--r--hosts/surtr/matrix/default.nix44
1 files changed, 44 insertions, 0 deletions
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix
index 0c48a243..9376620c 100644
--- a/hosts/surtr/matrix/default.nix
+++ b/hosts/surtr/matrix/default.nix
@@ -80,6 +80,10 @@ with lib;
80 }; 80 };
81 81
82 systemd.services.matrix-synapse = { 82 systemd.services.matrix-synapse = {
83 unitConfig = {
84 wants = ["postgresql.service"];
85 };
86
83 serviceConfig = { 87 serviceConfig = {
84 LoadCredential = [ 88 LoadCredential = [
85 "synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem" 89 "synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem"
@@ -87,6 +91,46 @@ with lib;
87 "registration.yaml:${config.sops.secrets."matrix-synapse-registration.yaml".path}" 91 "registration.yaml:${config.sops.secrets."matrix-synapse-registration.yaml".path}"
88 "turn-secret.yaml:${config.sops.secrets."matrix-synapse-turn-secret.yaml".path}" 92 "turn-secret.yaml:${config.sops.secrets."matrix-synapse-turn-secret.yaml".path}"
89 ]; 93 ];
94
95 RuntimeDirectory = "matrix-synapse";
96 StateDirectory = "matrix-synapse";
97
98 PrivateTmp = true;
99 PrivateDevices = true;
100
101 CapabilityBoundingSet = [];
102 AmbientCapabilities = [];
103
104 ProtectSystem = "strict";
105 ProtectKernelTunables = true;
106 ProtectKernelModules = true;
107 ProtectControlGroups = true;
108 ProtectClock = true;
109 ProtectHostname = true;
110
111 ProtectHome = "tmpfs";
112 ProtectKernelLogs = true;
113
114 ProtectProc = "invisible";
115 ProcSubset = "pid";
116
117 PrivateNetwork = false;
118 RestrictAddressFamily = ["AF_INET" "AF_INET6" "AF_UNIX"];
119 IPAddressAllow = "any";
120
121 SystemCallArchitectures = "native";
122 SystemCallFilter = ["@system-service" "~@privileged @resources @obsolete"];
123
124 RestrictSUIDSGID = true;
125 RemoveIPC = true;
126 NoNewPrivileges = true;
127 RestrictRealtime = true;
128 RestrictNamespaces = true;
129 LockPersonality = true;
130 PrivateUsers = true;
131 MemoryDenyWriteExecute = false;
132
133 ReadWritePaths = ["/var/run/postgresql"];
90 }; 134 };
91 }; 135 };
92 136