From eb2bfa6a42c3435bbe5565a0eb74bd9802f8be9d Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Tue, 1 Mar 2022 12:29:58 +0100 Subject: surtr: matrix: isolation --- hosts/surtr/matrix/default.nix | 44 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix index 0c48a243..9376620c 100644 --- a/hosts/surtr/matrix/default.nix +++ b/hosts/surtr/matrix/default.nix @@ -80,6 +80,10 @@ with lib; }; systemd.services.matrix-synapse = { + unitConfig = { + wants = ["postgresql.service"]; + }; + serviceConfig = { LoadCredential = [ "synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem" @@ -87,6 +91,46 @@ with lib; "registration.yaml:${config.sops.secrets."matrix-synapse-registration.yaml".path}" "turn-secret.yaml:${config.sops.secrets."matrix-synapse-turn-secret.yaml".path}" ]; + + RuntimeDirectory = "matrix-synapse"; + StateDirectory = "matrix-synapse"; + + PrivateTmp = true; + PrivateDevices = true; + + CapabilityBoundingSet = []; + AmbientCapabilities = []; + + ProtectSystem = "strict"; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + ProtectClock = true; + ProtectHostname = true; + + ProtectHome = "tmpfs"; + ProtectKernelLogs = true; + + ProtectProc = "invisible"; + ProcSubset = "pid"; + + PrivateNetwork = false; + RestrictAddressFamily = ["AF_INET" "AF_INET6" "AF_UNIX"]; + IPAddressAllow = "any"; + + SystemCallArchitectures = "native"; + SystemCallFilter = ["@system-service" "~@privileged @resources @obsolete"]; + + RestrictSUIDSGID = true; + RemoveIPC = true; + NoNewPrivileges = true; + RestrictRealtime = true; + RestrictNamespaces = true; + LockPersonality = true; + PrivateUsers = true; + MemoryDenyWriteExecute = false; + + ReadWritePaths = ["/var/run/postgresql"]; }; }; -- cgit v1.2.3