2019-04-27 16:53:26 -07:00
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
|
|
|
|
|
|
with lib;
|
|
|
|
|
|
2019-04-27 15:27:25 -07:00
|
|
|
let
|
2019-04-27 12:21:45 -07:00
|
|
|
defaultHardening = {
|
|
|
|
|
PrivateTmp = "true";
|
|
|
|
|
ProtectSystem = "full";
|
2019-04-27 15:27:25 -07:00
|
|
|
ProtectHome = "true";
|
2019-04-27 12:21:45 -07:00
|
|
|
NoNewPrivileges = "true";
|
|
|
|
|
PrivateDevices = "true";
|
|
|
|
|
MemoryDenyWriteExecute = "true";
|
2019-04-27 15:27:25 -07:00
|
|
|
ProtectKernelTunables = "true";
|
|
|
|
|
ProtectKernelModules = "true";
|
|
|
|
|
ProtectControlGroups = "true";
|
|
|
|
|
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
|
2019-04-28 06:11:27 -07:00
|
|
|
RestrictNamespaces = "true";
|
2019-04-27 15:27:25 -07:00
|
|
|
LockPersonality = "true";
|
2019-04-27 16:53:26 -07:00
|
|
|
IPAddressDeny = "any";
|
2019-04-27 12:21:45 -07:00
|
|
|
};
|
2019-04-27 15:27:25 -07:00
|
|
|
in
|
|
|
|
|
{
|
|
|
|
|
inherit defaultHardening;
|
2019-05-03 03:44:16 -07:00
|
|
|
# nodejs applications apparently rely on memory write execute
|
|
|
|
|
nodejs = { MemoryDenyWriteExecute = "false"; };
|
2019-04-27 16:53:26 -07:00
|
|
|
# Allow tor traffic. Allow takes precedence over Deny.
|
2019-04-28 11:54:13 -07:00
|
|
|
allowTor = {
|
|
|
|
|
IPAddressAllow = "127.0.0.1/32 ::1/128";
|
|
|
|
|
};
|
2019-04-27 16:53:26 -07:00
|
|
|
# Allow any traffic
|
|
|
|
|
allowAnyIP = { IPAddressAllow = "any"; };
|
|
|
|
|
|
|
|
|
|
enforceTor = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = false;
|
|
|
|
|
description = ''
|
|
|
|
|
"Whether to force Tor on a service by only allowing connections from and
|
|
|
|
|
to 127.0.0.1;";
|
|
|
|
|
'';
|
|
|
|
|
};
|
2019-04-27 12:21:45 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
