harden service

2025-04-11 10:40:15 -05:00 · 2025-04-11 10:40:15 -05:00 · d502993daf
parent 9358d37e07
commit d502993daf
1 changed files with 27 additions and 0 deletions
--- a/nix/module.nix
+++ b/nix/module.nix
@ -140,6 +140,33 @@ in
              Restart = "always";
              RestartSec = "15";
              WorkingDirectory = instanceCfg.homeDir;
+              ReadWritePaths = [ instanceCfg.homeDir ];
+              CapabilityBoundingSet = "";
+              NoNewPrivileges = true;
+              ProtectSystem = "strict";
+              ProtectHome = true;
+              PrivateTmp = true;
+              PrivateDevices = true;
+              PrivateUsers = true;
+              ProtectHostname = true;
+              ProtectClock = true;
+              ProtectKernelTunables = true;
+              ProtectKernelModules = true;
+              ProtectKernelLogs = true;
+              ProtectControlGroups = true;
+              RestrictAddressFamilies = [
+                "AF_UNIX"
+                "AF_INET"
+                "AF_INET6"
+              ];
+              RestrictNamespaces = true;
+              LockPersonality = true;
+              MemoryDenyWriteExecute = true;
+              RestrictRealtime = true;
+              RestrictSUIDSGID = true;
+              RemoveIPC = true;
+              PrivateMounts = true;
+              SystemCallArchitectures = "native";
              ExecStart =
                let
                  configFile = pkgs.writeText "ugit-${name}.yaml" (