surtr: matrix: isolation

author: Gregor Kleen <gkleen@yggdrasil.li> 2022-03-01 12:29:58 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2022-03-01 12:29:58 +0100
commit: eb2bfa6a42c3435bbe5565a0eb74bd9802f8be9d (patch)
tree: 03c9f1c79e56eed00ca03c8891fb9e5c42bb8f23 /hosts/surtr/matrix/default.nix
parent: 3170a30f7dee00376af1e4e4d5229a6045a78388 (diff)
download: nixos-eb2bfa6a42c3435bbe5565a0eb74bd9802f8be9d.tar
nixos-eb2bfa6a42c3435bbe5565a0eb74bd9802f8be9d.tar.gz
nixos-eb2bfa6a42c3435bbe5565a0eb74bd9802f8be9d.tar.bz2
nixos-eb2bfa6a42c3435bbe5565a0eb74bd9802f8be9d.tar.xz
nixos-eb2bfa6a42c3435bbe5565a0eb74bd9802f8be9d.zip
1 files changed, 44 insertions, 0 deletions
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix
index 0c48a243..9376620c 100644
--- a/hosts/surtr/matrix/default.nix
+++ b/hosts/surtr/matrix/default.nix
@@ -80,6 +80,10 @@ with lib;
    };
    systemd.services.matrix-synapse = {
+      unitConfig = {
+        wants = ["postgresql.service"];
+      };
      serviceConfig = {
        LoadCredential = [
          "synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem"
@@ -87,6 +91,46 @@ with lib;
          "registration.yaml:${config.sops.secrets."matrix-synapse-registration.yaml".path}"
          "turn-secret.yaml:${config.sops.secrets."matrix-synapse-turn-secret.yaml".path}"
        ];
+        RuntimeDirectory = "matrix-synapse";
+        StateDirectory = "matrix-synapse";
+        PrivateTmp = true;
+        PrivateDevices = true;
+        CapabilityBoundingSet = [];
+        AmbientCapabilities = [];
+        ProtectSystem = "strict";
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectControlGroups = true;
+        ProtectClock = true;
+        ProtectHostname = true;
+        ProtectHome = "tmpfs";
+        ProtectKernelLogs = true;
+        ProtectProc = "invisible";
+        ProcSubset = "pid";
+        PrivateNetwork = false;
+        RestrictAddressFamily = ["AF_INET" "AF_INET6" "AF_UNIX"];
+        IPAddressAllow = "any";
+        SystemCallArchitectures = "native";
+        SystemCallFilter = ["@system-service" "~@privileged @resources @obsolete"];
+        
+        RestrictSUIDSGID = true;
+        RemoveIPC = true;
+        NoNewPrivileges = true;
+        RestrictRealtime = true;
+        RestrictNamespaces = true;
+        LockPersonality = true;
+        PrivateUsers = true;
+        MemoryDenyWriteExecute = false;
+        ReadWritePaths = ["/var/run/postgresql"];
      };
    };
author	Gregor Kleen <gkleen@yggdrasil.li>	2022-03-01 12:29:58 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2022-03-01 12:29:58 +0100
commit	eb2bfa6a42c3435bbe5565a0eb74bd9802f8be9d (patch)
tree	03c9f1c79e56eed00ca03c8891fb9e5c42bb8f23 /hosts/surtr/matrix/default.nix
parent	3170a30f7dee00376af1e4e4d5229a6045a78388 (diff)
download	nixos-eb2bfa6a42c3435bbe5565a0eb74bd9802f8be9d.tar nixos-eb2bfa6a42c3435bbe5565a0eb74bd9802f8be9d.tar.gz nixos-eb2bfa6a42c3435bbe5565a0eb74bd9802f8be9d.tar.bz2 nixos-eb2bfa6a42c3435bbe5565a0eb74bd9802f8be9d.tar.xz nixos-eb2bfa6a42c3435bbe5565a0eb74bd9802f8be9d.zip

diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix index 0c48a243..9376620c 100644 --- a/hosts/surtr/matrix/default.nix +++ b/hosts/surtr/matrix/default.nix
@@ -80,6 +80,10 @@ with lib;
80	};	80	};
81		81
82	systemd.services.matrix-synapse = {	82	systemd.services.matrix-synapse = {
		83	unitConfig = {
		84	wants = ["postgresql.service"];
		85	};
		86
83	serviceConfig = {	87	serviceConfig = {
84	LoadCredential = [	88	LoadCredential = [
85	"synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem"	89	"synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem"
@@ -87,6 +91,46 @@ with lib;
87	"registration.yaml:${config.sops.secrets."matrix-synapse-registration.yaml".path}"	91	"registration.yaml:${config.sops.secrets."matrix-synapse-registration.yaml".path}"
88	"turn-secret.yaml:${config.sops.secrets."matrix-synapse-turn-secret.yaml".path}"	92	"turn-secret.yaml:${config.sops.secrets."matrix-synapse-turn-secret.yaml".path}"
89	];	93	];
		94
		95	RuntimeDirectory = "matrix-synapse";
		96	StateDirectory = "matrix-synapse";
		97
		98	PrivateTmp = true;
		99	PrivateDevices = true;
		100
		101	CapabilityBoundingSet = [];
		102	AmbientCapabilities = [];
		103
		104	ProtectSystem = "strict";
		105	ProtectKernelTunables = true;
		106	ProtectKernelModules = true;
		107	ProtectControlGroups = true;
		108	ProtectClock = true;
		109	ProtectHostname = true;
		110
		111	ProtectHome = "tmpfs";
		112	ProtectKernelLogs = true;
		113
		114	ProtectProc = "invisible";
		115	ProcSubset = "pid";
		116
		117	PrivateNetwork = false;
		118	RestrictAddressFamily = ["AF_INET" "AF_INET6" "AF_UNIX"];
		119	IPAddressAllow = "any";
		120
		121	SystemCallArchitectures = "native";
		122	SystemCallFilter = ["@system-service" "~@privileged @resources @obsolete"];
		123
		124	RestrictSUIDSGID = true;
		125	RemoveIPC = true;
		126	NoNewPrivileges = true;
		127	RestrictRealtime = true;
		128	RestrictNamespaces = true;
		129	LockPersonality = true;
		130	PrivateUsers = true;
		131	MemoryDenyWriteExecute = false;
		132
		133	ReadWritePaths = ["/var/run/postgresql"];
90	};	134	};
91	};	135	};
92		136