thary/sp-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: harden vikunja services and don't generate service token for it

Browse Source
This commit is contained in:
nhnn
2025-04-18 13:01:22 +03:00
committed by Inex Code
parent 744ba8f03c
commit b51561ef01
1 changed files with 34 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
sp-modules/vikunja/module.nix
View File

@@ -163,6 +163,39 @@ in {
DynamicUser = lib.mkForce false; DynamicUser = lib.mkForce false;
User = "vikunja"; User = "vikunja";
Group = "vikunja"; Group = "vikunja";
AmbientCapabilities = [""];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
RemoveIPC = true;
SystemCallFilter = ["@system-service" "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid"];
}; };
environment.SP_VIKUNJA_CLIENT_SECRET_PATH = "%d/oauth2-secret"; environment.SP_VIKUNJA_CLIENT_SECRET_PATH = "%d/oauth2-secret";
}; };
@@ -174,7 +207,7 @@ in {
selfprivacy.auth.clients.${oauthClientID} = { selfprivacy.auth.clients.${oauthClientID} = {
inherit usersGroup; inherit usersGroup;
subdomain = cfg.subdomain; subdomain = cfg.subdomain;
isTokenNeeded = true; isTokenNeeded = false;
originLanding = "https://${cfg.subdomain}.${sp.domain}/"; originLanding = "https://${cfg.subdomain}.${sp.domain}/";
originUrl = "https://${cfg.subdomain}.${sp.domain}/auth/openid/${lib.strings.toLower oauth2-provider-name}"; originUrl = "https://${cfg.subdomain}.${sp.domain}/auth/openid/${lib.strings.toLower oauth2-provider-name}";
clientSystemdUnits = ["vikunja.service"]; clientSystemdUnits = ["vikunja.service"];