diff --git a/flake.lock b/flake.lock index ba48d47..50feab6 100644 --- a/flake.lock +++ b/flake.lock @@ -413,11 +413,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1734683762, - "narHash": "sha256-GnwQCZ9tx9Cb4PjPySnJrCYB4Fc3c288fw+sAeATXJY=", + "lastModified": 1734694533, + "narHash": "sha256-OPww6Fzq7qnHctBcu6J9vmVdZ4NS8vpdG8JRvWm4i3s=", "owner": "rebmit", "repo": "nix-exprs", - "rev": "13d8ed59016e492edc92407d4691e45b4fc09d4e", + "rev": "4a958c802908b90f60f7aac2c85de433c86ec76c", "type": "github" }, "original": { diff --git a/nixos/modules/networking/netns/port-forward.nix b/nixos/modules/networking/netns/port-forward.nix index 1ef3375..c955bda 100644 --- a/nixos/modules/networking/netns/port-forward.nix +++ b/nixos/modules/networking/netns/port-forward.nix @@ -105,6 +105,7 @@ in "CAP_SYS_ADMIN" "CAP_SYS_PTRACE" ]; + SystemCallFilter = [ "@system-service" ]; }; after = [ "network.target" diff --git a/nixos/profiles/services/caddy/default.nix b/nixos/profiles/services/caddy/default.nix index d15bb17..fccc2bb 100644 --- a/nixos/profiles/services/caddy/default.nix +++ b/nixos/profiles/services/caddy/default.nix @@ -15,13 +15,14 @@ }; systemd.services.caddy.serviceConfig = mylib.misc.serviceHardened // { - AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; - CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; - }; - - systemd.services.caddy-api.serviceConfig = mylib.misc.serviceHardened // { - AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; - CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; + AmbientCapabilities = [ + "" + "CAP_NET_BIND_SERVICE" + ]; + CapabilityBoundingSet = [ + "" + "CAP_NET_BIND_SERVICE" + ]; }; services.restic.backups.b2.paths = [ config.services.caddy.dataDir ]; diff --git a/nixos/profiles/services/mail/dovecot.nix b/nixos/profiles/services/mail/dovecot.nix index 5061649..505a114 100644 --- a/nixos/profiles/services/mail/dovecot.nix +++ b/nixos/profiles/services/mail/dovecot.nix @@ -4,6 +4,7 @@ config, lib, pkgs, + mylib, ... }: let @@ -95,9 +96,6 @@ in listen = 127.0.0.1 haproxy_trusted_networks = 127.0.0.1/8 - default_internal_user = ${cfg.user} - default_internal_group = ${cfg.group} - auth_username_format = %Ln mail_home = ${maildir}/%u @@ -170,5 +168,23 @@ in } ''; + systemd.services.dovecot2.serviceConfig = mylib.misc.serviceHardened // { + StateDirectory = "dovecot"; + ReadWritePaths = [ maildir ]; + CapabilityBoundingSet = [ + "CAP_CHOWN" + "CAP_KILL" + "CAP_SYS_CHROOT" + "CAP_SETUID" + "CAP_SETGID" + "CAP_NET_BIND_SERVICE" + "CAP_DAC_OVERRIDE" + ]; + SystemCallFilter = [ + "@system-service" + "chroot" + ]; + }; + services.restic.backups.b2.paths = [ maildir ]; } diff --git a/nixos/profiles/services/mail/postfix.nix b/nixos/profiles/services/mail/postfix.nix index 6e31afc..37ef1cb 100644 --- a/nixos/profiles/services/mail/postfix.nix +++ b/nixos/profiles/services/mail/postfix.nix @@ -4,14 +4,33 @@ config, lib, pkgs, + mylib, ... }: { - systemd.services.postfix.serviceConfig = { + systemd.services.postfix.serviceConfig = mylib.misc.serviceHardened // { + StateDirectory = "postfix"; PrivateTmp = true; ExecStartPre = '' ${pkgs.openssl}/bin/openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout /tmp/selfsigned.key -out /tmp/selfsigned.crt -batch ''; + ProtectSystem = lib.mkForce "strict"; + RestrictAddressFamilies = lib.mkForce [ + "AF_INET" + "AF_INET6" + "AF_NETLINK" + "AF_UNIX" + ]; + CapabilityBoundingSet = lib.mkForce [ + "" + "CAP_DAC_READ_SEARCH" + "CAP_DAC_OVERRIDE" + "CAP_KILL" + "CAP_SETUID" + "CAP_SETGID" + "CAP_NET_BIND_SERVICE" + ]; + SystemCallFilter = lib.mkForce [ "@system-service" ]; }; services.postfix = { diff --git a/nixos/profiles/services/ntfy/default.nix b/nixos/profiles/services/ntfy/default.nix index 897c014..1be5bb9 100644 --- a/nixos/profiles/services/ntfy/default.nix +++ b/nixos/profiles/services/ntfy/default.nix @@ -16,6 +16,8 @@ }; systemd.services.ntfy-sh.serviceConfig = mylib.misc.serviceHardened // { + AmbientCapabilities = lib.mkForce [ "" ]; + CapabilityBoundingSet = lib.mkForce [ "" ]; DynamicUser = lib.mkForce false; };