fix(gatus): permission to ping

2026-02-09 04:19:19 -08:00 · 2024-11-20 11:30:21 -08:00 · 2024-11-20 11:30:21 -08:00 · bd7c9ee8f3
commit bd7c9ee8f3
parent e3d22ca33f
8 changed files with 66 additions and 7 deletions
--- a/modules/nixos/gatus.nix
+++ b/modules/nixos/gatus.nix
@ -4,7 +4,7 @@
  pkgs,
  ...
 }: let
-  inherit (lib.options) mkOption;
+  inherit (lib.options) mkOption mkEnableOption;
  inherit (lib.modules) mkIf mkMerge mkForce;
  inherit (lib.attrsets) attrValues;
  inherit (lib.lists) length unique;
@ -211,6 +211,10 @@ in {
      };
    };
  in with types; {
+    hardening = {
+      enable = mkEnableOption "sandbox and harden service";
+      icmp.enable = mkEnableOption "needed for ICMP probes";
+    };
    user = mkOption {
      type = nullOr str;
      default = null;
@ -236,11 +240,44 @@ in {
      }
    ];
    conf.systemd.services.gatus = {
-      serviceConfig.User = mkIf (cfg.user != null) (mkForce cfg.user);
+      serviceConfig = mkMerge [
+        serviceConfig
+        (mkIf cfg.hardening.enable serviceConfig'hardening)
+      ];
    };
    serviceConf = {
      services.gatus.settings.endpoints = mkIf (cfg.endpoints != {}) (attrValues cfg.endpoints);
    };
+    serviceConfig = {
+      User = mkIf (cfg.user != null) (mkForce cfg.user);
+
+      AmbientCapabilities = mkIf cfg.hardening.icmp.enable ["CAP_NET_RAW"];
+    };
+    serviceConfig'hardening = {
+      DevicePolicy = "closed";
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      PrivateMounts = true;
+      PrivateTmp = true;
+      ProcSubset = "pid";
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ProtectSystem = "strict";
+      RemoveIPC = true;
+      RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      UMask = "0077";
+    };
  in mkMerge [
    (mkIf cfg.enable conf)
    serviceConf
--- a/modules/system/exports/monitoring.nix
+++ b/modules/system/exports/monitoring.nix
@ -258,6 +258,10 @@ in
          // {
            default = config.access.online.enable;
          };
+        displayName = mkOption {
+          type = str;
+          default = config.name;
+        };
        alert = {
          enable =
            mkEnableOption "health check alerts"
--- a/modules/system/exports/unifi.nix
+++ b/modules/system/exports/unifi.nix
@ -6,6 +6,7 @@
  inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
 in {
  config.exports.services.unifi = {config, ...}: {
+    displayName = mkAlmostOptionDefault "UniFi";
    nixos.serviceAttr = "unifi";
    defaults.port.listen = mkAlmostOptionDefault "lan";
    ports = {