Merge pull request #165252 from Luflosi/ipfs-hardening

nixos/ipfs: add systemd hardening
This commit is contained in:
Kevin Cox 2022-03-22 08:10:01 -04:00 committed by GitHub
commit 954f445608
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 27 additions and 9 deletions

View File

@ -239,7 +239,10 @@ in
"d '${cfg.ipnsMountDir}' - ${cfg.user} ${cfg.group} - -" "d '${cfg.ipnsMountDir}' - ${cfg.user} ${cfg.group} - -"
]; ];
systemd.packages = [ cfg.package ]; # The hardened systemd unit breaks the fuse-mount function according to documentation in the unit file itself
systemd.packages = if cfg.autoMount
then [ cfg.package.systemd_unit ]
else [ cfg.package.systemd_unit_hardened ];
systemd.services.ipfs = { systemd.services.ipfs = {
path = [ "/run/wrappers" cfg.package ]; path = [ "/run/wrappers" cfg.package ];
@ -275,6 +278,8 @@ in
ExecStart = [ "" "${cfg.package}/bin/ipfs daemon ${ipfsFlags}" ]; ExecStart = [ "" "${cfg.package}/bin/ipfs daemon ${ipfsFlags}" ];
User = cfg.user; User = cfg.user;
Group = cfg.group; Group = cfg.group;
StateDirectory = "";
ReadWritePaths = [ "" cfg.dataDir ];
} // optionalAttrs (cfg.serviceFdlimit != null) { LimitNOFILE = cfg.serviceFdlimit; }; } // optionalAttrs (cfg.serviceFdlimit != null) { LimitNOFILE = cfg.serviceFdlimit; };
} // optionalAttrs (!cfg.startWhenNeeded) { } // optionalAttrs (!cfg.startWhenNeeded) {
wantedBy = [ "default.target" ]; wantedBy = [ "default.target" ];

View File

@ -10,6 +10,7 @@ import ./make-test-python.nix ({ pkgs, ...} : {
# Also will add a unix domain socket socket API address, see module. # Also will add a unix domain socket socket API address, see module.
startWhenNeeded = true; startWhenNeeded = true;
apiAddress = "/ip4/127.0.0.1/tcp/2324"; apiAddress = "/ip4/127.0.0.1/tcp/2324";
dataDir = "/mnt/ipfs";
}; };
}; };
@ -35,5 +36,9 @@ import ./make-test-python.nix ({ pkgs, ...} : {
machine.succeed( machine.succeed(
f"ipfs --api /unix/run/ipfs.sock cat /ipfs/{ipfs_hash.strip()} | grep fnord2" f"ipfs --api /unix/run/ipfs.sock cat /ipfs/{ipfs_hash.strip()} | grep fnord2"
) )
# Test if setting dataDir works properly with the hardened systemd unit
machine.succeed("test -e /mnt/ipfs/config")
machine.succeed("test ! -e /var/lib/ipfs/")
''; '';
}) })

View File

@ -29,15 +29,23 @@ buildGoModule rec {
vendorSha256 = null; vendorSha256 = null;
outputs = [ "out" "systemd_unit" "systemd_unit_hardened" ];
postPatch = ''
substituteInPlace 'misc/systemd/ipfs.service' \
--replace '/usr/bin/ipfs' "$out/bin/ipfs"
substituteInPlace 'misc/systemd/ipfs-hardened.service' \
--replace '/usr/bin/ipfs' "$out/bin/ipfs"
'';
postInstall = '' postInstall = ''
install --mode=444 -D misc/systemd/ipfs.service $out/etc/systemd/system/ipfs.service install --mode=444 -D 'misc/systemd/ipfs-api.socket' "$systemd_unit/etc/systemd/system/ipfs-api.socket"
install --mode=444 -D misc/systemd/ipfs-hardened.service $out/etc/systemd/system/ipfs-hardened.service install --mode=444 -D 'misc/systemd/ipfs-gateway.socket' "$systemd_unit/etc/systemd/system/ipfs-gateway.socket"
install --mode=444 -D misc/systemd/ipfs-api.socket $out/etc/systemd/system/ipfs-api.socket install --mode=444 -D 'misc/systemd/ipfs.service' "$systemd_unit/etc/systemd/system/ipfs.service"
install --mode=444 -D misc/systemd/ipfs-gateway.socket $out/etc/systemd/system/ipfs-gateway.socket
substituteInPlace $out/etc/systemd/system/ipfs.service \ install --mode=444 -D 'misc/systemd/ipfs-api.socket' "$systemd_unit_hardened/etc/systemd/system/ipfs-api.socket"
--replace /usr/bin/ipfs $out/bin/ipfs install --mode=444 -D 'misc/systemd/ipfs-gateway.socket' "$systemd_unit_hardened/etc/systemd/system/ipfs-gateway.socket"
substituteInPlace $out/etc/systemd/system/ipfs-hardened.service \ install --mode=444 -D 'misc/systemd/ipfs-hardened.service' "$systemd_unit_hardened/etc/systemd/system/ipfs.service"
--replace /usr/bin/ipfs $out/bin/ipfs
''; '';
meta = with lib; { meta = with lib; {