about summary refs log tree commit diff
path: root/nixos/modules
diff options
context:
space:
mode:
authorThiago Kenji Okada2024-06-25 02:34:42 +0100
committerGitHub2024-06-25 02:34:42 +0100
commit30c578e589b2cba83f9985050b16a54f449e843e (patch)
treeb322d4412657fb29caa4c1439f04a23a365c90b7 /nixos/modules
parent37081c340684e2098cead84d1113cf3d9b2a1394 (diff)
parent406ebf3ad6bce74453e5fb6b66521ee64a15b391 (diff)
Merge pull request #321987 from thiagokokada/rtorrent-add-hardening
nixos/rtorrent: add systemd hardening configuration
Diffstat (limited to 'nixos/modules')
-rw-r--r--nixos/modules/services/torrent/rtorrent.nix28
1 files changed, 27 insertions, 1 deletions
diff --git a/nixos/modules/services/torrent/rtorrent.nix b/nixos/modules/services/torrent/rtorrent.nix
index 009c2ffe0a5b..e0ce33d13462 100644
--- a/nixos/modules/services/torrent/rtorrent.nix
+++ b/nixos/modules/services/torrent/rtorrent.nix
@@ -8,6 +8,8 @@ let
   opt = options.services.rtorrent;
 
 in {
+  meta.maintainers = with lib.maintainers; [ thiagokokada ];
+
   options.services.rtorrent = {
     enable = mkEnableOption "rtorrent";
 
@@ -202,7 +204,31 @@ in {
             ExecStartPre=''${pkgs.bash}/bin/bash -c "if test -e ${cfg.dataDir}/session/rtorrent.lock && test -z $(${pkgs.procps}/bin/pidof rtorrent); then rm -f ${cfg.dataDir}/session/rtorrent.lock; fi"'';
             ExecStart="${cfg.package}/bin/rtorrent -n -o system.daemon.set=true -o import=${rtorrentConfigFile}";
             RuntimeDirectory = "rtorrent";
-            RuntimeDirectoryMode = 755;
+            RuntimeDirectoryMode = 750;
+
+            CapabilityBoundingSet = [ "" ];
+            LockPersonality = true;
+            NoNewPrivileges = true;
+            PrivateDevices = true;
+            PrivateTmp = true;
+            ProtectClock = true;
+            ProtectControlGroups = true;
+            # If the default user is changed, there is a good chance that they
+            # want to store data in e.g.: $HOME directory
+            # Relax hardening in this case
+            ProtectHome = lib.mkIf (cfg.user == "rtorrent") true;
+            ProtectHostname = true;
+            ProtectKernelLogs = true;
+            ProtectKernelModules = true;
+            ProtectKernelTunables = true;
+            ProtectProc = "invisible";
+            ProtectSystem = "full";
+            RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
+            RestrictNamespaces = true;
+            RestrictRealtime = true;
+            RestrictSUIDSGID = true;
+            SystemCallArchitectures = "native";
+            SystemCallFilter = [ "@system-service" "~@privileged" ];
           };
         };
       };
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-11-15 22:47:39 +0000