Further harden systemd service

2026-05-29 11:20:21 +00:00 · 2026-03-31 13:01:13 -04:00
parent 6abc0eaca2
commit 5dc810ceef
1 changed files with 16 additions and 3 deletions
--- a/module.nix
+++ b/module.nix
@@ -194,22 +194,33 @@ in {
          serviceConfig = {
            User = cfg.user;
            Group = cfg.group;
+            UMask = "0077";
            ExecStart = lib.getExe cfg.package;
            Restart = "on-failure";
            RestartSec = 5;

            WorkingDirectory = cfg.dataDir;
            StateDirectory = "tranquil-pds";
+            ReadWritePaths = [
+              cfg.settings.storage.path
+            ];

            EnvironmentFile = cfg.environmentFiles;

+            CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+            ProtectProc = "invisible";
+            ProcSubset = "pid";
            NoNewPrivileges = true;
            ProtectSystem = "strict";
            ProtectHome = true;
            PrivateTmp = true;
            PrivateDevices = true;
+            PrivateUsers = true;
+            ProtectHostname = true;
+            ProtectClock = true;
            ProtectKernelTunables = true;
            ProtectKernelModules = true;
+            ProtectKernelLogs = true;
            ProtectControlGroups = true;
            RestrictAddressFamilies = [
              "AF_INET"
@@ -222,10 +233,12 @@ in {
            RestrictRealtime = true;
            RestrictSUIDSGID = true;
            RemoveIPC = true;
-
-            ReadWritePaths = [
-              cfg.settings.storage.path
+            PrivateMounts = true;
+            SystemCallFilter = [
+              "@system-service"
+              "~@privileged @resources"
            ];
+            SystemCallArchitectures = "native";
          };
        };
      }