diff options
Diffstat (limited to 'nix')
| -rw-r--r-- | nix/module.nix | 18 | ||||
| -rw-r--r-- | nix/package.nix | 12 | ||||
| -rw-r--r-- | nix/static.nix | 19 |
3 files changed, 31 insertions, 18 deletions
diff --git a/nix/module.nix b/nix/module.nix index ec9da78..3d23ead 100644 --- a/nix/module.nix +++ b/nix/module.nix @@ -47,16 +47,26 @@ in { ${getExe cfg.package} ''; + environment = { + # using `/var/lib/private` as we have `DynamicUser` enabled + BOT_NIXPKGS_PATH = "/var/lib/private/${config.systemd.services.nixpkgs-tracker-bot.serviceConfig.StateDirectory}/nixpkgs"; + }; + serviceConfig = { Type = "simple"; Restart = "on-failure"; EnvironmentFile = mkIf (cfg.environmentFile != null) cfg.environmentFile; - # hardening + StateDirectory = "nixpkgs-tracker-bot"; + + # hardening settings DynamicUser = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; NoNewPrivileges = true; PrivateDevices = true; + PrivateIPC = true; PrivateTmp = true; PrivateUsers = true; ProtectClock = true; @@ -66,16 +76,16 @@ in { ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; + ProtectProc = "invisible"; ProtectSystem = "strict"; RestrictNamespaces = "uts ipc pid user cgroup"; + RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" - "~@resources" - "~@privileged" ]; - Umask = "0007"; + UMask = "0077"; }; }; }; diff --git a/nix/package.nix b/nix/package.nix index 2802233..778fa27 100644 --- a/nix/package.nix +++ b/nix/package.nix @@ -1,6 +1,8 @@ { lib, rustPlatform, + openssl, + pkg-config, version, lto ? true, optimizeSize ? false, @@ -12,16 +14,16 @@ rustPlatform.buildRustPackage { src = lib.fileset.toSource { root = ../.; fileset = lib.fileset.unions [ - ../src + (lib.fileset.gitTracked ../crates) ../Cargo.toml ../Cargo.lock ]; }; - cargoLock = { - lockFile = ../Cargo.lock; - allowBuiltinFetchGit = true; - }; + cargoLock.lockFile = ../Cargo.lock; + + nativeBuildInputs = [pkg-config]; + buildInputs = [openssl]; env = let toRustFlags = lib.mapAttrs' ( diff --git a/nix/static.nix b/nix/static.nix index f79de47..c5e3c57 100644 --- a/nix/static.nix +++ b/nix/static.nix @@ -1,16 +1,15 @@ { lib, - arch, - nixpkgs-tracker-bot, fenix, pkgsCross, + nixpkgs-tracker-bot, }: let - crossTargetFor = with pkgsCross; { + crossPkgsFor = with pkgsCross; { x86_64 = musl64.pkgsStatic; aarch64 = aarch64-multiplatform; }; - rustcTargetFor = lib.mapAttrs (lib.const (pkgs: pkgs.stdenv.hostPlatform.rust.rustcTarget)) crossTargetFor; + rustcTargetFor = lib.mapAttrs (lib.const (pkgs: pkgs.stdenv.hostPlatform.rust.rustcTarget)) crossPkgsFor; rustStdFor = lib.mapAttrs (lib.const (rustcTarget: fenix.targets.${rustcTarget}.stable.rust-std)) rustcTargetFor; toolchain = with fenix; @@ -26,9 +25,11 @@ lib.genAttrs ["cargo" "rustc"] (lib.const toolchain) )) ) - crossTargetFor; + crossPkgsFor; in - nixpkgs-tracker-bot.override { - rustPlatform = crossPlatformFor.${arch}; - optimizeSize = true; - } + {arch}: + nixpkgs-tracker-bot.override { + rustPlatform = crossPlatformFor.${arch}; + inherit (crossPkgsFor.${arch}) openssl; + optimizeSize = true; + } |