fix(nixos): fix sandboxing

Due to a typo, previously the filesystem was accessible. Now we need
can't use `InaccessiblePaths` anymore, since it doesn't allow nesting
with `BindReadOnlyPaths`. Thus we need to switch to
`TemporaryFileSystem` which unfortunately doesn't seem to work with
`DynamicUser`.

With a new warteraum-specific user we can run warteraum in a
filesystem that only contains `/nix/store`, the secret files and vital
things like `/proc`, `/dev` etc.

2 files changed, 28 insertions, 7 deletions

diff --git a/README.adoc b/README.adoc
index e13439e..6ce53ad 100644
--- a/README.adoc
+++ b/README.adoc
@@ -347,6 +347,9 @@ Changelog
    service this is reflected by the usage of `saltFile` and
    `tokensFile` respectively over the previous `salt` and
    `tokens`.
+** Fix sandboxing in `nixos/flipdot-gschichtler.nix`: Now only
+  the secret files and the nix store will be readable to the
+  `warteraum` process.
 
 2.0.0
 ~~~~~
diff --git a/nixos/flipdot-gschichtler.nix b/nixos/flipdot-gschichtler.nix
index f94fe01..06efd62 100644
--- a/nixos/flipdot-gschichtler.nix
+++ b/nixos/flipdot-gschichtler.nix
@@ -8,6 +8,8 @@ let
     bahnhofshalle
     warteraum-static
     ;
+
+  userGroupName = "warteraum";
 in {
   options = {
     services.flipdot-gschichtler = {
@@ -58,21 +60,26 @@ in {
       serviceConfig = {
         Type = "simple";
         ExecStart = "${warteraum-static}/bin/warteraum";
-        InAccessibleDirectories = "/";
+
+        # make only /nix/store and the salt and token file accessible
+        TemporaryFileSystem = "/:ro";
+        BindReadOnlyPaths = "/nix/store " + (lib.concatStringsSep " " [
+          cfg.saltFile
+          cfg.tokensFile
+        ]);
+        # TemporaryFileSystem doesn't work with DynamicUser
+        User = userGroupName;
+        Group = userGroupName;
+
         # mmap and munmap are used by libscrypt-kdf
         SystemCallFilter = "@default @basic-io @io-event @network-io fcntl @signal @process @timer brk mmap munmap open";
         SystemCallArchitectures = "native";
-        CapabilityBoundingSet = "";
 
+        CapabilityBoundingSet = "";
         NoNewPrivileges = true;
         RestrictRealtime = true;
         LockPersonality = true;
 
-        DynamicUser = true;
-
-        ProtectSystem = "strict";
-        ProtectHome = true;
-        PrivateTmp = true;
         PrivateUsers = true;
         ProtectKernelTunables = true;
         ProtectKernelModules = true;
@@ -81,6 +88,9 @@ in {
         MemoryDenyWriteExecute = true;
         PrivateDevices = true;
         PrivateMounts = true;
+
+        StandardError = "journal";
+        StandardOutput = "journal";
       };
     };
 
@@ -94,5 +104,13 @@ in {
         }
       '';
     };
+
+    users = {
+      users."${userGroupName}"= {
+        isSystemUser = true;
+        group = userGroupName;
+      };
+      groups."${userGroupName}"= {};
+    };
   };
 }