From be1336d8b84ba89607268bedcd6f5ed0c4030c5c Mon Sep 17 00:00:00 2001
From: gaykitty <126119280+gaykitty@users.noreply.github.com>
Date: Sun, 10 Mar 2024 15:22:32 -0400
Subject: [PATCH] nixos/stargazer: harden systemd service

---
 .../manual/release-notes/rl-2411.section.md   |  6 +++
 .../services/web-servers/stargazer.nix        | 38 +++++++++++++++++++
 nixos/tests/web-servers/stargazer.nix         |  2 -
 3 files changed, 44 insertions(+), 2 deletions(-)

diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md
index 29e29afd80ac..849be7376133 100644
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@@ -235,6 +235,12 @@
   for `stateVersion` ≥ 24.11. (It was previously using SQLite for structured
   data and the filesystem for blobs).
 
+- The `stargazer` service has been hardened to improve security, but these
+  changes make break certain setups, particularly around traditional CGI.
+
+  - The `stargazer.allowCgiUser` option has been added, enabling
+    Stargazer's `cgi-user` option to work, which was previously broken.
+
 - The `shiori` service now requires an HTTP secret value `SHIORI_HTTP_SECRET_KEY` to be provided via environment variable. The nixos module therefore, now provides an environmentFile option:
 
   ```
diff --git a/nixos/modules/services/web-servers/stargazer.nix b/nixos/modules/services/web-servers/stargazer.nix
index b8374313723d..249fd30bf600 100644
--- a/nixos/modules/services/web-servers/stargazer.nix
+++ b/nixos/modules/services/web-servers/stargazer.nix
@@ -225,6 +225,44 @@ in
           "CAP_SETGID"
           "CAP_SETUID"
         ];
+
+        # Hardening
+        UMask = "0077";
+        PrivateTmp = true;
+        ProtectHome = true;
+        ProtectSystem = "full";
+        ProtectClock = true;
+        ProtectHostname = true;
+        ProtectControlGroups = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        PrivateDevices = true;
+        NoNewPrivileges = true;
+        RestrictSUIDSGID = true;
+        PrivateMounts = true;
+        MemoryDenyWriteExecute = true;
+        LockPersonality = true;
+        RestrictRealtime = true;
+        RemoveIPC = true;
+        CapabilityBoundingSet = [
+          "~CAP_SYS_PTRACE"
+          "~CAP_SYS_ADMIN"
+          "~CAP_SETPCAP"
+          "~CAP_SYS_TIME"
+          "~CAP_SYS_PACCT"
+          "~CAP_SYS_TTY_CONFIG "
+          "~CAP_SYS_CHROOT"
+          "~CAP_SYS_BOOT"
+          "~CAP_NET_ADMIN"
+        ] ++ lib.lists.optional (!cfg.allowCgiUser) [
+          "~CAP_SETGID"
+          "~CAP_SETUID"
+        ];
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete" ]
+          ++ lib.lists.optional (!cfg.allowCgiUser) [ "@privileged @setuid" ];
       };
     };
 
diff --git a/nixos/tests/web-servers/stargazer.nix b/nixos/tests/web-servers/stargazer.nix
index 70a9fee456f1..b687f2046a04 100644
--- a/nixos/tests/web-servers/stargazer.nix
+++ b/nixos/tests/web-servers/stargazer.nix
@@ -145,8 +145,6 @@ in
     geminiserver.wait_for_unit("scgi_server")
     geminiserver.wait_for_open_port(1099)
     geminiserver.wait_for_unit("stargazer")
-    geminiserver.wait_for_unit("stargazer")
-    cgiTestServer.wait_for_open_port(1965)
     cgiTestServer.wait_for_open_port(1965)
 
     with subtest("stargazer test suite"):