services: matrix bridge fix signal

2022-12-30 13:53:08 +01:00 · 2022-12-30 13:53:08 +01:00 · 91c5be61fd
commit 91c5be61fd
parent f5b6f5fb8f
1 changed files with 47 additions and 4 deletions
--- a/modules/services/server/matrix.nix
+++ b/modules/services/server/matrix.nix
@ -101,20 +101,61 @@ in {
          User = "mautrix-whatsapp";
          Group = "mautrix-whatsapp";
          Environment = "HOME=/var/lib/mautrix-whatsapp";
-          PrivateTmp = true;
+          ReadWritePaths="/var/log/mautrix-whatsapp";
+          NoNewPrivileges=true;
+          MemoryDenyWriteExecute=true;
+          PrivateDevices=true;
+          PrivateTmp=true;
+          ProtectHome=true;
+          ProtectSystem="strict";
+          ProtectControlGroups=true;
+          RestrictSUIDSGID=true;
+          RestrictRealtime=true;
+          LockPersonality=true;
+          ProtectKernelLogs=true;
+          ProtectKernelTunables=true;
+          ProtectHostname=true;
+          ProtectKernelModules=true;
+          PrivateUsers=true;
+          ProtectClock=true;
+          SystemCallArchitectures="native";
+          SystemCallErrorNumber="EPERM";
+          SystemCallFilter="@system-service";
        };
      };
      mautrix-signal = {
        description = "Matrix <-> Signal bridge";
        wantedBy = [ "multi-user.target" ];
-        after = [ "network.target" "postgresql.service" "matrix-synapse.service" ];
+        after = [ "network.target" "postgresql.service" "matrix-synapse.service" "signald.service" ];
        requires = [ "postgresql.service" "matrix-synapse.service" "signald.service"];
        script = "${pkgs.mautrix-signal}/bin/mautrix-signal -n --config ${config.age.secrets."services/matrix/mautrix-signal.yml".path}";
        serviceConfig = {
          User = "mautrix-signal";
          Group = "mautrix-signal";
-          Environment = "HOME=/var/lib/mautrix-whatsapp";
-          PrivateTmp = true;
+          Environment = "HOME=/var/lib/mautrix-signal";
+          ReadWritePaths= [
+            "/var/run/signald/signald.sock"
+            "/var/log/mautrix-signal"
+          ];
+          NoNewPrivileges=true;
+          MemoryDenyWriteExecute=true;
+          PrivateDevices=true;
+          PrivateTmp=true;
+          ProtectHome=true;
+          ProtectSystem="strict";
+          ProtectControlGroups=true;
+          RestrictSUIDSGID=true;
+          RestrictRealtime=true;
+          LockPersonality=true;
+          ProtectKernelLogs=true;
+          ProtectKernelTunables=true;
+          ProtectHostname=true;
+          ProtectKernelModules=true;
+          PrivateUsers=true;
+          ProtectClock=true;
+          SystemCallArchitectures="native";
+          SystemCallErrorNumber="EPERM";
+          SystemCallFilter="@system-service";
        };
      };
  };
@ -199,6 +240,8 @@ in {
      };
      signald = {
        enable = true;
+        user = "mautrix-signal";
+        group = "mautrix-signal";
      };
  };