diff --git a/nixos/boxes/vultr1/default.nix b/nixos/boxes/vultr1/default.nix index b9a1292f..4ae3d0b5 100644 --- a/nixos/boxes/vultr1/default.nix +++ b/nixos/boxes/vultr1/default.nix @@ -4,14 +4,15 @@ imports = [ ./vultr-boot.nix - ../../server-security.nix - ../../tailscale.nix ./tailscale-vultr1.nix - ../cli.nix - ./nginx.nix ./folding.nix ./matrix-front.nix + ./nginx.nix ./search.nix + ./snowflake.nix + ../cli.nix + ../../server-security.nix + ../../tailscale.nix ]; systemd.extraConfig = '' diff --git a/nixos/boxes/vultr1/snowflake.nix b/nixos/boxes/vultr1/snowflake.nix new file mode 100644 index 00000000..a28738d4 --- /dev/null +++ b/nixos/boxes/vultr1/snowflake.nix @@ -0,0 +1,40 @@ +{ config, pkgs, lib, ... }: +{ + containers.snowflake = { + autoStart = true; + ephemeral = true; + config = { + systemd.services.snowflake = { + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + IPAccounting = "yes"; + ExecStart = "${pkgs.snowflake}/bin/proxy"; + DynamicUser = "yes"; + # Read-only filesystem + ProtectSystem = "strict"; + PrivateDevices = "yes"; + ProtectKernelTunables = "yes"; + ProtectControlGroups = "yes"; + ProtectHome = "yes"; + # Deny access to as many things as possible + NoNewPrivileges = "yes"; + PrivateUsers = "yes"; + LockPersonality = "yes"; + MemoryDenyWriteExecute = "yes"; + ProtectClock = "yes"; + ProtectHostname = "yes"; + ProtectKernelLogs = "yes"; + ProtectKernelModules = "yes"; + RestrictNamespaces = "yes"; + RestrictRealtime = "yes"; + RestrictSUIDSGID = "yes"; + SystemCallArchitectures = "native"; + SystemCallFilter = "~@chown @clock @cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @setuid @swap @privileged @resources"; + CapabilityBoundingSet = ""; + ProtectProc = "invisible"; + ProcSubset = "pid"; + }; + }; + }; + }; +}