mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-01-03 19:43:30 +00:00
cb10fe8aaf
Systemd units with `PrivateUsers` set get their capabilities within the user namespace only [1]. As a result they do cannot bind to privileged ports even though they *appear* like they should be able to. The units in this commit [2] set `PrivateUsers` unconditionally so binding to privileged ports is currently impossible. Granting them CAP_NET_BIND_SERVICE is useless and misleading any reader of those modules. Technically, this commit also hardens these modules ever so slightly. (There are corner cases where this could make sense (e.g. across units, using `JoinsNamspaceOf`) but this is arcane enough to not to be present in nixpkgs.) [1]: systemd.exec(5): PrivateUsers [2]: found using `rg -e 'PrivateUsers.?=\s+[^f][^a]' -l | xargs rg -e '\bCAP_' -l`
158 lines
4.9 KiB
Nix
158 lines
4.9 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
let
|
|
cfg = config.services.wastebin;
|
|
inherit (lib)
|
|
mkEnableOption mkPackageOption mkIf mkOption
|
|
types mapAttrs isBool getExe boolToString optionalAttrs;
|
|
in
|
|
{
|
|
|
|
options.services.wastebin = {
|
|
|
|
enable = mkEnableOption "Wastebin, a pastebin service";
|
|
|
|
package = mkPackageOption pkgs "wastebin" { };
|
|
|
|
stateDir = mkOption {
|
|
type = types.path;
|
|
default = "/var/lib/wastebin";
|
|
description = "State directory of the daemon.";
|
|
};
|
|
|
|
secretFile = mkOption {
|
|
type = types.nullOr types.path;
|
|
default = null;
|
|
example = "/run/secrets/wastebin.env";
|
|
description = ''
|
|
Path to file containing sensitive environment variables.
|
|
Some variables that can be considered secrets are:
|
|
|
|
- WASTEBIN_PASSWORD_SALT:
|
|
salt used to hash user passwords used for encrypting pastes.
|
|
|
|
- WASTEBIN_SIGNING_KEY:
|
|
sets the key to sign cookies. If not set, a random key will be
|
|
generated which means cookies will become invalid after restarts and
|
|
paste creators will not be able to delete their pastes anymore.
|
|
'';
|
|
};
|
|
|
|
settings = mkOption {
|
|
|
|
description = ''
|
|
Additional configuration for wastebin, see
|
|
<https://github.com/matze/wastebin#usage> for supported values.
|
|
For secrets use secretFile option instead.
|
|
'';
|
|
|
|
type = types.submodule {
|
|
|
|
freeformType = with types; attrsOf (oneOf [ bool int str ]);
|
|
|
|
options = {
|
|
|
|
WASTEBIN_ADDRESS_PORT = mkOption {
|
|
type = types.str;
|
|
default = "0.0.0.0:8088";
|
|
description = "Address and port to bind to";
|
|
};
|
|
|
|
WASTEBIN_BASE_URL = mkOption {
|
|
default = "http://localhost";
|
|
example = "https://myhost.tld";
|
|
type = types.str;
|
|
description = ''
|
|
Base URL for the QR code display. If not set, the user agent's Host
|
|
header field is used as an approximation.
|
|
'';
|
|
};
|
|
|
|
WASTEBIN_CACHE_SIZE = mkOption {
|
|
default = 128;
|
|
type = types.int;
|
|
description = "Number of rendered syntax highlight items to cache. Can be disabled by setting to 0.";
|
|
};
|
|
|
|
WASTEBIN_DATABASE_PATH = mkOption {
|
|
default = "/var/lib/wastebin/sqlite3.db"; # TODO make this default to stateDir/sqlite3.db
|
|
type = types.str;
|
|
description = "Path to the sqlite3 database file. If not set, an in-memory database is used.";
|
|
};
|
|
|
|
WASTEBIN_HTTP_TIMEOUT = mkOption {
|
|
default = 5;
|
|
type = types.int;
|
|
description = "Maximum number of seconds a request can be processed until wastebin responds with 408";
|
|
};
|
|
|
|
WASTEBIN_MAX_BODY_SIZE = mkOption {
|
|
default = 1024;
|
|
type = types.int;
|
|
description = "Number of bytes to accept for POST requests";
|
|
};
|
|
|
|
WASTEBIN_TITLE = mkOption {
|
|
default = "wastebin";
|
|
type = types.str;
|
|
description = "Overrides the HTML page title";
|
|
};
|
|
|
|
RUST_LOG = mkOption {
|
|
default = "info";
|
|
type = types.str;
|
|
description =
|
|
''
|
|
Influences logging. Besides the typical trace, debug, info etc.
|
|
keys, you can also set the tower_http key to some log level to get
|
|
additional information request and response logs.
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
default = { };
|
|
|
|
example = {
|
|
WASTEBIN_TITLE = "My awesome pastebin";
|
|
};
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable
|
|
{
|
|
systemd.services.wastebin = {
|
|
after = [ "network.target" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
environment = mapAttrs (_: v: if isBool v then boolToString v else toString v) cfg.settings;
|
|
serviceConfig = {
|
|
DevicePolicy = "closed";
|
|
DynamicUser = true;
|
|
ExecStart = "${getExe cfg.package}";
|
|
LockPersonality = true;
|
|
MemoryDenyWriteExecute = true;
|
|
PrivateDevices = true;
|
|
PrivateUsers = true;
|
|
ProtectClock = true;
|
|
ProtectControlGroups = true;
|
|
ProtectHostname = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectKernelModules = true;
|
|
ProtectKernelTunables = true;
|
|
ProtectProc = "invisible";
|
|
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
|
|
RestrictNamespaces = true;
|
|
RestrictRealtime = true;
|
|
SystemCallArchitectures = [ "native" ];
|
|
SystemCallFilter = [ "@system-service" ];
|
|
StateDirectory = baseNameOf cfg.stateDir;
|
|
ReadWritePaths = cfg.stateDir;
|
|
} // optionalAttrs (cfg.secretFile != null) {
|
|
EnvironmentFile = cfg.secretFile;
|
|
};
|
|
};
|
|
};
|
|
|
|
meta.maintainers = with lib.maintainers; [ pinpox ];
|
|
}
|