From 697edc20fc46870fb96e6446473a3d26bbfab697 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Sun, 17 Nov 2024 21:11:36 +0000
Subject: [PATCH] servo: prosody: harden systemd serivice

---
 hosts/by-name/servo/services/prosody/default.nix | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/hosts/by-name/servo/services/prosody/default.nix b/hosts/by-name/servo/services/prosody/default.nix
index e6e2417ca..b65f95501 100644
--- a/hosts/by-name/servo/services/prosody/default.nix
+++ b/hosts/by-name/servo/services/prosody/default.nix
@@ -283,4 +283,20 @@ in
       ntfy_topic = readAll("/run/secrets/ntfy-sh-topic")
     '';
   };
+
+  systemd.services.prosody = {
+    # hardening (systemd-analyze security prosody)
+    serviceConfig.LockPersonality = true;
+    serviceConfig.NoNewPrivileges = true;
+    serviceConfig.PrivateUsers = true;
+    serviceConfig.ProcSubset = "pid";
+    serviceConfig.ProtectClock = true;
+    serviceConfig.ProtectKernelLogs = true;
+    serviceConfig.ProtectProc = "invisible";
+    serviceConfig.ProtectSystem = "strict";
+    serviceConfig.RemoveIPC = true;
+    serviceConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
+    serviceConfig.SystemCallArchitectures = "native";
+    serviceConfig.SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
+  };
 }