Set limited permissions for the webserver container

This commit is contained in:
Tristan Daniël Maat 2021-04-19 00:39:33 +01:00
parent 04c00b9877
commit a3b72d11bd
Signed by: tlater
GPG key ID: 49670FD774E43268
4 changed files with 32 additions and 6 deletions

View file

@ -1,8 +1,12 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
imports = imports = [
[ ./services/gitea.nix ./services/nextcloud.nix ./services/webserver.nix ]; ./services/gitea.nix
./services/nextcloud.nix
./services/webserver.nix
./ids.nix
];
nix = { nix = {
package = pkgs.nixFlakes; package = pkgs.nixFlakes;

9
configuration/ids.nix Normal file
View file

@ -0,0 +1,9 @@
{ ... }:
{
ids.uids = {
# System user ids start at 400 (see nixos/modules/programs/shadow.nix)
webserver = 400;
# The limit is 999
};
}

View file

@ -1,6 +1,12 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
users.extraUsers.webserver = {
uid = config.ids.uids.webserver;
isSystemUser = true;
description = "tlater.net web server user";
};
virtualisation.oci-containers.containers.webserver = { virtualisation.oci-containers.containers.webserver = {
image = "tlaternet/webserver"; image = "tlaternet/webserver";
@ -9,18 +15,24 @@
tag = "latest"; tag = "latest";
contents = pkgs.tlaternet-webserver.webserver; contents = pkgs.tlaternet-webserver.webserver;
config = { config = let
user = config.users.extraUsers.webserver;
group = config.users.groups.${user.group};
uid = toString user.uid;
gid = toString group.gid;
in {
Cmd = [ "tlaternet-webserver" ]; Cmd = [ "tlaternet-webserver" ];
Volumes = { "/srv/mail" = { }; }; Volumes = { "/srv/mail" = { }; };
Env = [ Env = [
"ROCKET_PORT=80" "ROCKET_PORT=3002"
"ROCKET_TEMPLATE_DIR=${pkgs.tlaternet-templates.templates}/browser/" "ROCKET_TEMPLATE_DIR=${pkgs.tlaternet-templates.templates}/browser/"
]; ];
ExposedPorts = { "80" = { }; }; ExposedPorts = { "3002" = { }; };
User = "${uid}:${gid}";
}; };
}; };
ports = [ "3002:80" ]; ports = [ "3002:3002" ];
volumes = [ "tlaternet-mail:/srv/mail" ]; volumes = [ "tlaternet-mail:/srv/mail" ];
extraOptions = [ "--hostname=tlater.net" ]; extraOptions = [ "--hostname=tlater.net" ];
}; };

View file

@ -30,6 +30,7 @@
tlaternet-webserver.legacyPackages.${prev.system}.packages; tlaternet-webserver.legacyPackages.${prev.system}.packages;
tlaternet-templates = tlaternet-templates =
tlaternet-templates.legacyPackages.${prev.system}.packages; tlaternet-templates.legacyPackages.${prev.system}.packages;
local = import ./pkgs { pkgs = prev; };
}) })
]; ];