From def4eec2d59a69b4638b3f25d6d713b703b2fa56 Mon Sep 17 00:00:00 2001 From: h7x4 Date: Sat, 31 Jan 2026 13:43:15 +0900 Subject: [PATCH] module.nix: add some systemd hardening --- nix/module.nix | 55 +++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 54 insertions(+), 1 deletion(-) diff --git a/nix/module.nix b/nix/module.nix index c8ac567..c89d9b8 100644 --- a/nix/module.nix +++ b/nix/module.nix @@ -53,7 +53,60 @@ in { Restart = "on-failure"; DynamicUser = true; - # TODO: hardening + # NOTE: roowho2 might at some point need to read from home directories + # to get user settings, so let's keep these disabled for now. + # PrivateUsers = true; + # ProtectHome = true; + + AmbientCapabilities = ""; + CapabilityBoundingSet = ""; + DeviceAllow = ""; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + # NOTE: all ipc traffic is served through the socket activation fds or provided by systemd + PrivateIPC = true; + PrivateMounts = true; + PrivateTmp = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = "strict"; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + "AF_NETLINK" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SocketBindDeny = "any"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + "~@resources" + ]; + + RuntimeDirectory = "roowho2/root-mnt"; + RuntimeDirectoryMode = "0700"; + RootDirectory = "/run/roowho2/root-mnt"; + BindReadOnlyPaths = [ + builtins.storeDir + "/etc" + # NOTE: need logind socket for utmp entries + "/run/systemd" + ]; + + UMask = "0077"; }; };