nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-22 23:13:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

nixos/pretix: update hardening

Browse Source 
- Transition from world-readable to group-readable UMask
- Remove world permissions from state directory
This commit is contained in:
Martin Weinelt 2024-05-09 17:25:59 +02:00
parent e2ccc754ac
commit 9afcf733f3
No known key found for this signature in database
GPG Key ID: 87C1E9888F856759
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
nixos/modules/services/web-apps/pretix.nix
View File

@ -468,7 +468,7 @@ in
StateDirectory = [
"pretix"
];
StateDirectoryMode = "0755";
StateDirectoryMode = "0750";
CacheDirectory = "pretix";
LogsDirectory = "pretix";
WorkingDirectory = cfg.settings.pretix.datadir;
@ -507,7 +507,7 @@ in
"~@privileged"
"@chown"
];
UMask = "0022";
UMask = "0027";
};
};
in {
@ -561,6 +561,8 @@ in
wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = "${getExe' pythonEnv "celery"} -A pretix.celery_app worker ${cfg.celery.extraArgs}";
};
nginx.serviceConfig.SupplementaryGroups = mkIf cfg.nginx.enable [ "pretix" ];
};
systemd.sockets.pretix-web.socketConfig = {