servo: jackett: harden further

hosts/by-name/servo/services/jackett/default.nix

@@ -6,7 +6,7 @@ in
 {
   sane.persist.sys.byStore.private = [
     # TODO: mode? we only need this to save Indexer creds ==> migrate to config?
-    { user = "root"; group = "root"; path = "/var/lib/jackett"; method = "bind"; }
+    { user = "jackett"; group = "jackett"; path = "/var/lib/jackett"; method = "bind"; }
   ];
   services.jackett.enable = true;
 
@@ -23,6 +23,7 @@ in
 
     # hardening (systemd-analyze security jackett)
     # TODO: upstream into nixpkgs
+    serviceConfig.StateDirectory = "jackett";
     serviceConfig.LockPersonality = true;
     serviceConfig.NoNewPrivileges = true;
     # serviceConfig.MemoryDenyWriteExecute = true;  #< Failed to create CoreCLR, HRESULT: 0x80004005
@@ -31,6 +32,21 @@ in
     serviceConfig.PrivateTmp = true;
     serviceConfig.PrivateUsers = true;
     serviceConfig.ProcSubset = "pid";
+    serviceConfig.ProtectClock = true;
+    serviceConfig.ProtectControlGroups = true;
+    serviceConfig.ProtectHome = true;
+    serviceConfig.ProtectHostname = true;
+    serviceConfig.ProtectKernelLogs = true;
+    serviceConfig.ProtectKernelModules = true;
+    serviceConfig.ProtectKernelTunables = true;
+    serviceConfig.ProtectProc = "invisible";
+    serviceConfig.ProtectSystem = "strict";
+    serviceConfig.RemoveIPC = true;
+    serviceConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
+    serviceConfig.RestrictNamespaces = true;
+    serviceConfig.RestrictSUIDSGID = true;
+    serviceConfig.SystemCallArchitectures = "native";
+    serviceConfig.SystemCallFilter = [ "@system-service" "~@privileged" ];
   };
 
   # jackett torrent search