wg-home-refresh: harden systemd service

2024-08-09 23:05:58 +00:00
parent 3aafcb0aa8
commit 055ad222e3
1 changed files with 25 additions and 0 deletions
--- a/modules/vpn.nix
+++ b/modules/vpn.nix
@@ -197,6 +197,31 @@ let
          sleep 180
        done
      '';
+      # systemd hardening (systemd-analyze security wg-home-refresh.service)
+      serviceConfig.AmbientCapabilities = "CAP_NET_ADMIN";
+      serviceConfig.CapabilityBoundingSet = "CAP_NET_ADMIN";
+      serviceConfig.LockPersonality = true;
+      serviceConfig.MemoryDenyWriteExecute = true;
+      serviceConfig.NoNewPrivileges = true;
+      serviceConfig.ProtectClock = true;
+      serviceConfig.ProtectHostname = true;
+      serviceConfig.RemoveIPC = true;
+      serviceConfig.RestrictAddressFamilies = "AF_INET AF_INET6 AF_NETLINK";
+      #VVV this includes anything it reads from, e.g. /bin/sh; /nix/store/...
+      # see `systemd-analyze filesystems` for a full list
+      serviceConfig.RestrictFileSystems = "@common-block @basic-api";
+      serviceConfig.RestrictRealtime = true;
+      serviceConfig.RestrictSUIDSGID = true;
+      serviceConfig.SystemCallArchitectures = "native";
+      serviceConfig.SystemCallFilter = [
+        "@system-service"
+        "~@chown"
+        "~@cpu-emulation"
+        "~@keyring"
+      ];
+      serviceConfig.DevicePolicy = "closed";  # only allow /dev/{null,zero,full,random,urandom}
+      # serviceConfig.DeviceAllow = "/dev/...";
+      serviceConfig.RestrictNamespaces = true;
    };

    # networking.firewall.extraCommands = with pkgs; ''