Set limited permissions for the webserver container

2021-04-19 00:39:33 +01:00 · 2021-04-19 00:39:33 +01:00 · a3b72d11bd
commit a3b72d11bd
parent 04c00b9877
4 changed files with 32 additions and 6 deletions
--- a/configuration/services/webserver.nix
+++ b/configuration/services/webserver.nix
@ -1,6 +1,12 @@
 { config, pkgs, ... }:

 {
+  users.extraUsers.webserver = {
+    uid = config.ids.uids.webserver;
+    isSystemUser = true;
+    description = "tlater.net web server user";
+  };
+
  virtualisation.oci-containers.containers.webserver = {
    image = "tlaternet/webserver";

@ -9,18 +15,24 @@
      tag = "latest";
      contents = pkgs.tlaternet-webserver.webserver;

-      config = {
+      config = let
+        user = config.users.extraUsers.webserver;
+        group = config.users.groups.${user.group};
+        uid = toString user.uid;
+        gid = toString group.gid;
+      in {
        Cmd = [ "tlaternet-webserver" ];
        Volumes = { "/srv/mail" = { }; };
        Env = [
-          "ROCKET_PORT=80"
+          "ROCKET_PORT=3002"
          "ROCKET_TEMPLATE_DIR=${pkgs.tlaternet-templates.templates}/browser/"
        ];
-        ExposedPorts = { "80" = { }; };
+        ExposedPorts = { "3002" = { }; };
+        User = "${uid}:${gid}";
      };
    };

-    ports = [ "3002:80" ];
+    ports = [ "3002:3002" ];
    volumes = [ "tlaternet-mail:/srv/mail" ];
    extraOptions = [ "--hostname=tlater.net" ];
  };