colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

wg-home-refresh: harden systemd service

Browse Source
This commit is contained in:
Colin
2024-08-09 23:05:58 +00:00
parent 3aafcb0aa8
commit 055ad222e3
1 changed files with 25 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
modules/vpn.nix
View File

@@ -197,6 +197,31 @@ let
sleep 180 sleep 180
done done
''; '';
# systemd hardening (systemd-analyze security wg-home-refresh.service)
serviceConfig.AmbientCapabilities = "CAP_NET_ADMIN";
serviceConfig.CapabilityBoundingSet = "CAP_NET_ADMIN";
serviceConfig.LockPersonality = true;
serviceConfig.MemoryDenyWriteExecute = true;
serviceConfig.NoNewPrivileges = true;
serviceConfig.ProtectClock = true;
serviceConfig.ProtectHostname = true;
serviceConfig.RemoveIPC = true;
serviceConfig.RestrictAddressFamilies = "AF_INET AF_INET6 AF_NETLINK";
#VVV this includes anything it reads from, e.g. /bin/sh; /nix/store/...
# see `systemd-analyze filesystems` for a full list
serviceConfig.RestrictFileSystems = "@common-block @basic-api";
serviceConfig.RestrictRealtime = true;
serviceConfig.RestrictSUIDSGID = true;
serviceConfig.SystemCallArchitectures = "native";
serviceConfig.SystemCallFilter = [
"@system-service"
"~@chown"
"~@cpu-emulation"
"~@keyring"
];
serviceConfig.DevicePolicy = "closed"; # only allow /dev/{null,zero,full,random,urandom}
# serviceConfig.DeviceAllow = "/dev/...";
serviceConfig.RestrictNamespaces = true;
}; };
# networking.firewall.extraCommands = with pkgs; '' # networking.firewall.extraCommands = with pkgs; ''