nixos/public-inbox: enable confinement

NixOS · Dec 22, 2024 · 2d4c685 · 2d4c685
1 parent 9e22edb
commit 2d4c685
Showing 1 changed file with 7 additions and 35 deletions.
diff --git a/nixos/modules/services/mail/public-inbox.nix b/nixos/modules/services/mail/public-inbox.nix
@@ -74,20 +74,11 @@ let
         StateDirectory = [ "public-inbox" ];
         StateDirectoryMode = "0750";
         WorkingDirectory = stateDir;
-        BindReadOnlyPaths =
-          [
-            "/etc"
-            "/run/systemd"
-            "${config.i18n.glibcLocales}"
-          ]
-          ++ mapAttrsToList (name: inbox: inbox.description) cfg.inboxes
-          ++
-            # Without confinement the whole Nix store
-            # is made available to the service
-            optionals (!config.systemd.services."public-inbox-${srv}".confinement.enable) [
-              "${pkgs.dash}/bin/dash:/bin/sh"
-              builtins.storeDir
-            ];
+        BindReadOnlyPaths = [
+          "/etc"
+          "/run/systemd"
+          "${config.i18n.glibcLocales}"
+        ] ++ mapAttrsToList (name: inbox: inbox.description) cfg.inboxes;
         # The following options are only for optimizing:
         # systemd-analyze security public-inbox-'*'
         AmbientCapabilities = "";
@@ -104,7 +95,7 @@ let
         ProtectHostname = true;
         ProtectKernelLogs = true;
         ProtectProc = "invisible";
-        #ProtectSystem = "strict";
+        ProtectSystem = "strict";
         RemoveIPC = true;
         RestrictAddressFamilies =
           [ "AF_UNIX" ]
@@ -126,28 +117,9 @@ let
           # Not removing @timer because git upload-pack needs it.
         ];
         SystemCallArchitectures = "native";
-
-        # The following options are redundant when confinement is enabled
-        RootDirectory = "/var/empty";
-        TemporaryFileSystem = "/";
-        PrivateMounts = true;
-        MountAPIVFS = true;
-        PrivateDevices = true;
-        PrivateTmp = true;
-        PrivateUsers = true;
-        ProtectControlGroups = true;
-        ProtectKernelModules = true;
-        ProtectKernelTunables = true;
       };
       confinement = {
-        # Until we agree upon doing it directly here in NixOS
-        # https://github.com/NixOS/nixpkgs/pull/104457#issuecomment-1115768447
-        # let the user choose to enable the confinement with:
-        # systemd.services.public-inbox-httpd.confinement.enable = true;
-        # systemd.services.public-inbox-imapd.confinement.enable = true;
-        # systemd.services.public-inbox-init.confinement.enable = true;
-        # systemd.services.public-inbox-nntpd.confinement.enable = true;
-        #enable = true;
+        enable = true;
         mode = "full-apivfs";
         # Inline::C needs a /bin/sh, and dash is enough
         binSh = "${pkgs.dash}/bin/dash";