diff --git a/nixos/modules/restricted-service.nix b/nixos/modules/restricted-service.nix
new file mode 100644
index 0000000000000000000000000000000000000000..8127149b9addb3eb555bf71fcb3dbfb5612d9f9b
--- /dev/null
+++ b/nixos/modules/restricted-service.nix
@@ -0,0 +1,48 @@
+{
+ serviceConfig.DynamicUser = true;
+
+ serviceConfig = {
+
+ # This set of restrictions is mostly dervied from
+ # - running `systemd-analyze security zkap-spending-service.service
+ # - Looking at the restrictions from the nixos nginx config.
+ AmbientCapabilities = "";
+ CapabilityBoundingSet = "";
+ LockPersonality = true;
+ MemoryDenyWriteExecute = true;
+ NoNewPrivileges = true;
+ PrivateDevices = true;
+ PrivateMounts = true;
+ PrivateNetwork = true;
+ PrivateTmp = true;
+ PrivateUsers = true;
+ ProcSubset = "pid";
+ ProtectClock = true;
+ ProtectControlGroups = true;
+ ProtectHome = true;
+ ProtectHostname = true;
+ ProtectKernelLogs = true;
+ ProtectKernelModules = true;
+ ProtectKernelTunables = true;
+ ProtectProc = "invisible";
+ ProtectSystem = "strict";
+ RemoveIPC = true;
+ RestrictAddressFamilies = "AF_UNIX";
+ RestrictNamespaces = true;
+ RestrictRealtime = true;
+ RestrictSUIDSGID = true;
+ SystemCallArchitectures = "native";
+ # Lines starting with "~" are deny-list the others are allow-list
+ # Since the first line is allow, that bounds the set of allowed syscalls
+ # and the further lines restrict it.
+ SystemCallFilter = [
+ # From systemd.exec(5), @system-service is "A reasonable set of
+ # system calls used by common system [...]"
+ "@system-service"
+ # This is from the nginx config, except that `@ipc` is not removed,
+ # since twisted uses a self-pipe.
+ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid"
+ ];
+ Umask = "0077";
+ };
+}
diff --git a/nixos/modules/spending.nix b/nixos/modules/spending.nix
index ccbce1d3b4fbec4cc4bdeb0efd67653f5160581a..4c5563da5f11c6ca778c5f0dad36460383af66d5 100644
--- a/nixos/modules/spending.nix
+++ b/nixos/modules/spending.nix
@@ -1,4 +1,4 @@
-# A NixOS module which can run a Ristretto-based issuer for PrivateStorage
+# A NixOS module which can run a service tracking spending of ZKAPs.
# ZKAPs.
{ lib, pkgs, config, ourpkgs, ... }@args: let
cfg = config.services.private-storage-spending;
@@ -54,56 +54,12 @@ in
serviceConfig.Restart = "always";
serviceConfig.Type = "simple";
- # Use a unnamed user.
- serviceConfig.DynamicUser = true;
-
+ imports = [ ./restricted-service.nix ];
serviceConfig = {
# Work around https://twistedmatrix.com/trac/ticket/10261
# Create a runtime directory so that the service has permission
# to change the mode on the socket.
RuntimeDirectory = "zkap-spending-service";
-
- # This set of restrictions is mostly dervied from
- # - running `systemd-analyze security zkap-spending-service.service
- # - Looking at the restrictions from the nixos nginx config.
- AmbientCapabilities = "";
- CapabilityBoundingSet = "";
- LockPersonality = true;
- MemoryDenyWriteExecute = true;
- NoNewPrivileges = true;
- PrivateDevices = true;
- PrivateMounts = true;
- PrivateNetwork = true;
- PrivateTmp = true;
- PrivateUsers = true;
- ProcSubset = "pid";
- ProtectClock = true;
- ProtectControlGroups = true;
- ProtectHome = true;
- ProtectHostname = true;
- ProtectKernelLogs = true;
- ProtectKernelModules = true;
- ProtectKernelTunables = true;
- ProtectProc = "invisible";
- ProtectSystem = "strict";
- RemoveIPC = true;
- RestrictAddressFamilies = "AF_UNIX";
- RestrictNamespaces = true;
- RestrictRealtime = true;
- RestrictSUIDSGID = true;
- SystemCallArchitectures = "native";
- # Lines starting with "~" are deny-list the others are allow-list
- # Since the first line is allow, that bounds the set of allowed syscalls
- # and the further lines restrict it.
- SystemCallFilter = [
- # From systemd.exec(5), @system-service is "A reasonable set of
- # system calls used by common system [...]"
- "@system-service"
- # This is from the nginx config, except that `@ipc` is not removed,
- # since twisted uses a self-pipe.
- "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid"
- ];
- Umask = "0077";
};
script = let