WIP

base.nix

@@ -174,6 +174,7 @@
     extraConfig = "return 444;";
   };
 
+  # TODO: upstream
   # source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service
   systemd.services.logrotate = {
     documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
@@ -210,6 +211,8 @@
       SystemCallArchitectures = "native";
       SystemCallFilter = [
         "@system-service"
+        # "~@privileged"
+        # "~@resources"
       ];
     };
   };

hosts/bekkalokk/services/phpfpm.nix

@@ -31,7 +31,7 @@ in
       PrivateMounts = true;
       ProtectClock = true;
       ProtectControlGroups = true;
-      ProtectHome = true;
+      ProtectHome = true; # Needed to read passwords from /run maybe?
       ProtectHostname = true;
       ProtectKernelLogs = true;
       ProtectKernelModules = true;
@@ -45,6 +45,8 @@ in
       KeyringMode = "private";
       SystemCallFilter = [
         "@system-service"
+        # "~@privileged"
+        # "~@resources"
       ];
     };
   });

hosts/bekkalokk/services/vaultwarden.nix

@@ -71,6 +71,8 @@ in {
       AmbientCapabilities = [ "" ];
       CapabilityBoundingSet = [ "" ];
       DeviceAllow = [ "" ];
+      # IPAddressDeny = [ "any" ];
+      # IPAddressAllow = [  ];
       LockPersonality = true;
       NoNewPrivileges = true;
       # MemoryDenyWriteExecute = true;