From 8c4af55f82ca5601e2bb4f3b7869da6d691859e2 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Mon, 10 Jul 2023 08:00:45 +0000
Subject: [PATCH] trust-dns: apply some hardening (still need more)

---
 modules/services/trust-dns.nix | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/modules/services/trust-dns.nix b/modules/services/trust-dns.nix
index 82cee2f4..374fef94 100644
--- a/modules/services/trust-dns.nix
+++ b/modules/services/trust-dns.nix
@@ -132,8 +132,29 @@ in
         Type = "simple";
         Restart = "on-failure";
         RestartSec = "10s";
-        # TODO: hardening (like, don't run as root!)
         # TODO: link to docs
+        # TODO: hardening:
+        # - User/DynamicUser
+        # - Group
+        # - CapabilityBoundingSet
+        # - SystemCallFilter ?
+        # - RestrictAddressFamilies
+        # - LockPersonality ?
+        # use `systemd-analyze security trust-dns`
+        MemoryDenyWriteExecute = true;
+        PrivateDevices = true;
+        PrivateMounts = true;
+        PrivateTmp = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "full";
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
       };
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];