update

2026-01-14 16:55:00 +01:00 · 2025-12-28 18:43:32 +01:00 · 2025-12-28 18:43:32 +01:00 · 9015d6ebab
commit 9015d6ebab
parent 413dfef394
3 changed files with 54 additions and 3 deletions
--- a/nix/apps/does-it-build/default.nix
+++ b/nix/apps/does-it-build/default.nix
@ -49,6 +49,23 @@ in
      ];
      # GITHUB_APP_PRIVATE_KEY=-----BEGIN RSA PRIVATE KEY-----...
      EnvironmentFile = [ config.age.secrets.does_it_build_private_key.path ];
+
+      ProtectHome = true;
+      StateDirectory = "does-it-build";
+      ProtectSystem = "strict";
+      PrivateTmp = true;
+
+      RemoveIPC = true;
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      ProtectClock = true;
+      ProtectKernelLogs = true;
+      ProtectControlGroups = true;
+      ProtectKernelModules = true;
+      PrivateMounts = true;
+      RestrictNamespaces = "";
+      RestrictSUIDSGID = true;
+      ProtectHostname = true;
    };
  };

--- a/nix/modules/default/default.nix
+++ b/nix/modules/default/default.nix
@ -60,6 +60,7 @@ in

    settings = {
      PasswordAuthentication = false;
+      AllowUsers = [ "root" ];
    };
  };
  services.fail2ban = {
@ -79,6 +80,22 @@ in
        "PRETENSE_PORTS=23,3306,5432,1521" # telnet,mysql,postgres,oracle
        "PRETENSE_METRICS_PORT=9150"
      ];
+      PrivateDevices = true;
+      ProtectHome = true;
+      ProtectClock = true;
+      ProtectKernelLogs = true;
+      ProtectHostname = true;
+      ProtectKernelTunables = true;
+      CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
+      ProtectProc = "ptraceable";
+      RestrictNamespaces = true;
+      MemoryDenyWriteExecute = true;
+      ProtectControlGroups = true;
+      ProtectKernelModules = true;
+      SystemCallArchitectures = "";
+      SystemCallFilter = "@system-service";
+      RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+      ProtectSystem = "strict";
    };
  };
  systemd.services.quotdd = {
@ -90,6 +107,23 @@ in
      ExecStart = "${lib.getExe (quotdd {inherit pkgs;})}";
      AmbientCapabilities = "CAP_NET_BIND_SERVICE";
      Environment = [ ];
+
+      PrivateDevices = true;
+      ProtectHome = true;
+      ProtectClock = true;
+      ProtectKernelLogs = true;
+      ProtectHostname = true;
+      ProtectKernelTunables = true;
+      CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
+      ProtectProc = "ptraceable";
+      RestrictNamespaces = true;
+      MemoryDenyWriteExecute = true;
+      ProtectControlGroups = true;
+      ProtectKernelModules = true;
+      SystemCallArchitectures = "";
+      SystemCallFilter = "@system-service";
+      RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+      ProtectSystem = "strict";
    };
  };
  networking.firewall.allowedTCPPorts = [
--- a/nix/my-projects.json
+++ b/nix/my-projects.json
@ -18,12 +18,12 @@
    }
  },
  "does-it-build": {
-    "commit": "d15a7465584b5e90dc19126cc3d097683d055a63",
+    "commit": "3a1695c554d8f07aac47a11f516ff65db7420ca6",
    "fetchFromGitHub": {
      "owner": "Noratrieb",
      "repo": "does-it-build",
-      "rev": "d15a7465584b5e90dc19126cc3d097683d055a63",
-      "hash": "sha256-UC+uy7Ba+VAXeBplIblrYptoI2ORsnL+U64BNGUR7CY="
+      "rev": "3a1695c554d8f07aac47a11f516ff65db7420ca6",
+      "hash": "sha256-n7rTR3VrPt0x7QfzRnOHSxb4gSfMj4rA9kZD1RTYTWY="
    }
  },
  "upload.files.noratrieb.dev": {