machines/osterei/websites/photos.ctu.cx: permission fix and improvements

commit 8727a877b7f489ab5180d5536d9cb6794c7fdc9e
parent 8af18018950603510026db9f9d103459031a83fe
Author: Leah (ctucx) <leah@ctu.cx>
Date: Wed, 18 May 2022 19:56:55 +0200

machines/osterei/websites/photos.ctu.cx: permission fix and improvements

2 files changed, 36 insertions(+), 15 deletions(-)

machines/osterei/websites/flauschehorn.sexy.nix

+----------

machines/osterei/websites/photos.ctu.cx.nix

+++++++++++++++++++++++++++++++++++-----

diff --git a/machines/osterei/websites/flauschehorn.sexy.nix b/machines/osterei/websites/flauschehorn.sexy.nix
@@ -29,6 +29,7 @@ in {
 
   systemd = {
     services.flauschehorn-fetcher = {
+      startAt     = "*-*-* 3:00:00";
       after       = [ "network-online.target" ];
       environment = {
         DB_PATH = "hornpostings.db";

@@ -62,16 +63,6 @@ in {
         LockPersonality         = true;
       };
     };
-
-    timers.flauschehorn-fetcher = {
-      wantedBy     = [ "timers.target" ];
-      partOf       = [ "flauschehorn-fetcher.service" ];
-      timerConfig  = {
-        OnCalendar         = "*-*-* 3:00:00";
-        RandomizedDelaySec = 300;
-        Unit               = "flauschehorn-fetcher.service";
-      };
-    };
   };
 
   services = {

diff --git a/machines/osterei/websites/photos.ctu.cx.nix b/machines/osterei/websites/photos.ctu.cx.nix
@@ -103,6 +103,16 @@ in {
     options = [ "ro" "perms=0000:a+rX" ];
   };
 
+  users = {
+    users."ctucx-gallery" = {
+      home = "/var/lib/ctucx-gallery";
+      group = "ctucx-gallery";
+      isSystemUser = true;
+    };
+    groups."ctucx-gallery" = {};
+  };
+
+
   systemd.services.ctucx-gallery = {
     startAt  = "*-*-* *:0/10:00";
     wantedBy = [ "multi-user.target" ];

@@ -111,12 +121,32 @@ in {
 
     serviceConfig = {
       Type           = "oneshot";
-      DynamicUser    = true;
-      StateDirectory = "ctucx-gallery";
-      PrivateTmp     = true;
-      ProtectHome    = true;
-      ProtectSystem  = "strict";
+#      DynamicUser    = true;
+
       ExecStart      = "${gallery}/bin/gallery ${galleryConfigFile}";
+
+      User  = "ctucx-gallery";
+      Group = "ctucx-gallery";
+
+
+      StateDirectory          = "ctucx-gallery";
+      StateDirectoryMode      = "755";
+
+      NoNewPrivileges         = true;
+      PrivateTmp              = true;
+      PrivateDevices          = true;
+
+      RestrictAddressFamilies = "AF_INET AF_INET6";
+      RestrictNamespaces      = true;
+      RestrictRealtime        = true;
+
+      ProtectSystem           = "full";
+      ProtectControlGroups    = true;
+      ProtectKernelModules    = true;
+      ProtectKernelTunables   = true;
+
+      DevicePolicy            = "closed";
+      LockPersonality         = true;
     };
   };