NetworkManager-dispatcher: harden systemd service

hosts/common/net/networkmanager.nix

@@ -120,9 +120,26 @@ in {
     # ];
     # serviceConfig.Restart = "always";
     # serviceConfig.RestartSec = "1s";
-    serviceConfig.User = "networkmanager";
+
+    serviceConfig.User = "networkmanager";  # TODO: should arguably use `DynamicUser`
     serviceConfig.Group = "networkmanager";
-    # TODO: it needs access only to the above mentioned directories
+    serviceConfig.LockPersonality = true;
+    serviceConfig.PrivateDevices = true;  # remount /dev with just the basics, syscall filter to block @raw-io
+    serviceConfig.PrivateIPC = true;
+    serviceConfig.PrivateUsers = true;
+    serviceConfig.ProtectClock = true;  # syscall filter to prevent changing the RTC
+    serviceConfig.ProtectControlGroups = true;
+    serviceConfig.ProtectHome = true;  # makes empty: /home, /root, /run/user
+    serviceConfig.ProtectHostname = true;  # probably not upstreamable: prevents changing hostname
+    serviceConfig.ProtectKernelLogs = true;  # disable /proc/kmsg, /dev/kmsg
+    serviceConfig.ProtectKernelModules = true;  # syscall filter to prevent module calls
+    serviceConfig.ProtectKernelTunables = true;
+    serviceConfig.ProtectSystem = "full";  # makes read-only: /boot, /etc/, /usr. `strict` isn't possible due to trust-dns hook
+    serviceConfig.RestrictAddressFamilies = [
+      "AF_UNIX"  # required, probably for dbus or systemd connectivity
+    ];
+    serviceConfig.RestrictSUIDSGID = true;
+    serviceConfig.SystemCallArchitectures = "native";  # prevents e.g. aarch64 syscalls in the event that the kernel is multi-architecture.
   };
 
   # harden wpa_supplicant (used by NetworkManager)