diff --git a/hosts/mtworx/configuration.nix b/hosts/mtworx/configuration.nix index 6fa5621..a4bc93b 100644 --- a/hosts/mtworx/configuration.nix +++ b/hosts/mtworx/configuration.nix @@ -1,5 +1,4 @@ { - lib, config, pkgs, myData, @@ -177,77 +176,6 @@ in }; }; - users = { - users.mount-test = { - name = "mount-test"; - group = "mount-test"; - isSystemUser = true; - }; - groups.mount-test = { }; - }; - - systemd.tmpfiles.rules = [ "d /data 0755 root root -" ]; - - systemd.services.mount-test = { - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - RuntimeDirectory = "mount-test"; - TemporaryFileSystem = "/data"; - BindPaths = [ "/home/motiejus/x:/var/run/mount-test/bind-paths/x" ]; - PrivateDevices = false; - - Type = "simple"; - Restart = "on-failure"; - RestartSec = 10; - - # Hardening - NoNewPrivileges = true; - PrivateTmp = true; - PrivateMounts = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - RestrictAddressFamilies = [ - "AF_INET" - "AF_INET6" - "AF_UNIX" - ]; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - CapabilityBoundingSet = lib.mkForce "CAP_SYS_ADMIN | CAP_SETUID | CAP_SETGID"; - - User = "mount-test"; - Group = "mount-test"; - ExecStart = - "!" - + (lib.getExe ( - pkgs.writeShellApplication { - name = "mount-test"; - runtimeInputs = with pkgs; [ - bindfs - util-linux - ]; - text = '' - set -x - mkdir -p /data/x - bindfs -d -u motiejus -g users /var/run/mount-test/bind-paths/x /data/x & - sleep 1 - #exec setpriv \ - # --ruid mount-test \ - # --inh-caps -sys_admin,-setuid,-setgid \ - touch /data/x/foo - ''; - } - )); - }; - }; - users.extraGroups.vboxusers.members = [ "motiejus" ]; environment.systemPackages = with pkgs; [ dnsmasq ];