commit 0e69584de0e742720bb7da9ba0e0123a7fd1b43e
parent e965eeec580dd299b5ce9400247b9082b69622d2
Author: Leah (ctucx) <git@ctu.cx>
Date: Tue, 9 May 2023 13:35:50 +0200
parent e965eeec580dd299b5ce9400247b9082b69622d2
Author: Leah (ctucx) <git@ctu.cx>
Date: Tue, 9 May 2023 13:35:50 +0200
machines/lollo/smarthome/{departures2mqtt,homebridge,influx2,sdm2mqtt}: lock down services
5 files changed, 141 insertions(+), 4 deletions(-)
diff --git a/machines/lollo/smarthome/departures2mqtt.nix b/machines/lollo/smarthome/departures2mqtt.nix @@ -13,6 +13,27 @@ serviceConfig = { Type = "oneshot"; ExecStart = "${pkgs.departures2mqtt}/bin/departures2mqtt --mqtt-host=127.0.0.1 --mqtt-topic=departures2mqtt --stations=1505,2946,2187"; + + DynamicUser = true; + + NoNewPrivileges = true; + PrivateTmp = true; + + ProtectSystem = "strict"; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + ProtectHome = true; + + RestrictAddressFamilies = "AF_INET AF_INET6"; + RestrictNamespaces = true; + RestrictRealtime = true; + + DevicePolicy = "closed"; + LockPersonality = true; + + LimitNPROC = 1; }; };
diff --git a/machines/lollo/smarthome/homebridge.nix b/machines/lollo/smarthome/homebridge.nix @@ -22,13 +22,36 @@ systemd.services.homebridge = { enable = true; wantedBy = [ "multi-user.target" ]; + serviceConfig = { User = "homebridge"; + Restart = "always"; RestartSec = "15"; + EnvironmentFile = "${pkgs.homebridge}/env"; + ExecStart = "${pkgs.homebridge}/bin/homebridge --no-qrcode --user-storage-path /var/lib/homebridge"; + AmbientCapabilities = "CAP_NET_RAW"; + + ReadWritePaths = [ "/var/lib/homebridge" ]; + + NoNewPrivileges = true; + PrivateTmp = true; + + ProtectSystem = "strict"; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + ProtectHome = true; + + RestrictNamespaces = true; + RestrictRealtime = true; + + DevicePolicy = "closed"; + LockPersonality = true; }; }; @@ -37,11 +60,33 @@ wantedBy = [ "multi-user.target" ]; serviceConfig = { User = "homebridge-isa"; + Restart = "always"; RestartSec = "15"; + EnvironmentFile = "${pkgs.homebridge}/env"; + ExecStart = "${pkgs.homebridge}/bin/homebridge --no-qrcode --user-storage-path /var/lib/homebridge-isa"; - AmbientCapabilities = "CAP_NET_RAW"; + + AmbientCapabilities = [ "CAP_NET_RAW" ]; + + ReadWritePaths = [ "/var/lib/homebridge-isa" ]; + + NoNewPrivileges = true; + PrivateTmp = true; + + ProtectSystem = "strict"; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + ProtectHome = true; + + RestrictNamespaces = true; + RestrictRealtime = true; + + DevicePolicy = "closed"; + LockPersonality = true; }; };
diff --git a/machines/lollo/smarthome/influxdb2.nix b/machines/lollo/smarthome/influxdb2.nix @@ -35,6 +35,25 @@ systemd.services.power-history = { startAt = "0/2:00:00"; path = with pkgs; [ curl jq mosquitto ]; + + serviceConfig = { + NoNewPrivileges = true; + PrivateTmp = true; + + ProtectSystem = "strict"; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + ProtectHome = true; + + RestrictNamespaces = true; + RestrictRealtime = true; + + DevicePolicy = "closed"; + LockPersonality = true; + }; + script = '' QUERY=$(cat <<-END import "timezone"
diff --git a/machines/lollo/smarthome/mbusd.nix b/machines/lollo/smarthome/mbusd.nix @@ -13,10 +13,41 @@ serviceConfig = { ExecStart = "${pkgs.mbusd}/bin/mbusd -d -v2 -L - -p /dev/modbus0 -s 9600 -m 8n1 -C 32 -N 3 -R 100 -W 500 -T 60"; + Restart = "on-failure"; RestartSec = "1"; + StandardOutput = "journal"; StandardError = "journal"; + + DynamicUser = true; + SupplementaryGroups = [ "dialout" ]; + + NoNewPrivileges = true; + PrivateTmp = true; + + ProtectSystem = "strict"; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + ProtectHome = true; + + IPAddressAllow = "127.0.0.0/8"; + + RestrictAddressFamilies = "AF_INET"; + RestrictNamespaces = true; + RestrictRealtime = true; + + DevicePolicy = "closed"; + DeviceAllow = [ "/dev/modbus0" ]; + + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; + + LockPersonality = true; + + LimitNPROC = 1; + }; };
diff --git a/machines/lollo/smarthome/sdm2mqtt.nix b/machines/lollo/smarthome/sdm2mqtt.nix @@ -20,14 +20,35 @@ in { after = [ "network-online.target" "mbusd.service" "mosquitto.service" ]; onFailure = [ "email-notify@%i.service" ]; + environment.CONFIG_PATH = configFile; + serviceConfig = { ExecStart = "${pkgs.sdm2mqtt}/bin/sdm2mqtt"; Restart = "on-failure"; RestartSec = "5"; - }; - environment = { - CONFIG_PATH = configFile; + DynamicUser = true; + + NoNewPrivileges = true; + PrivateTmp = true; + + ProtectSystem = "strict"; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + ProtectHome = true; + + IPAddressAllow = "127.0.0.0/8"; + + RestrictAddressFamilies = "AF_INET"; + RestrictNamespaces = true; + RestrictRealtime = true; + + DevicePolicy = "closed"; + LockPersonality = true; + + LimitNPROC = 1; }; };