makes actual-server system-wide and hardens it

2025-10-17 10:55:11 +02:00 · 2025-10-17 10:55:11 +02:00 · b9a18d4ef5
commit b9a18d4ef5
parent cd14ccf417
1 changed files with 38 additions and 1 deletions
--- a/modules/actual-server/default.nix
+++ b/modules/actual-server/default.nix
@ -3,7 +3,7 @@
  ...
 }:
 {
-  systemd.user.services.actual-server = {
+  systemd.services.actual-server = {
    enable = true;
    after = [ "network.target" ];
    wantedBy = [ "multi-user.target" ];
@ -18,4 +18,41 @@
      RestartSec = 3;
    };
  };
+
+  # hardening
+  DynamicUser = true;
+  DevicePolicy = "closed";
+  CapabilityBoundingSet = "";
+  RestrictAddressFamilies = [
+    "AF_INET"
+    "AF_INET6"
+    "AF_UNIX"
+    "AF_NETLINK"
+  ];
+  DeviceAllow = "";
+  NoNewPrivileges = true;
+  PrivateDevices = true;
+  PrivateMounts = true;
+  PrivateTmp = true;
+  PrivateUsers = true;
+  ProtectClock = true;
+  ProtectControlGroups = true;
+  ProtectHome = true;
+  ProtectKernelLogs = true;
+  ProtectKernelModules = true;
+  ProtectKernelTunables = true;
+  ProtectSystem = "strict";
+  LockPersonality = true;
+  RemoveIPC = true;
+  RestrictNamespaces = true;
+  RestrictRealtime = true;
+  RestrictSUIDSGID = true;
+  SystemCallArchitectures = "native";
+  SystemCallFilter = [
+    "@system-service"
+    "~@resources"
+  ];
+  ProtectProc = "invisible";
+  ProtectHostname = true;
+  UMask = "0077";
 }