tsuki/hydra: harden server unit

This commit is contained in:
Oystein Kristoffer Tveit 2024-01-23 05:36:39 +01:00
parent ce5c3666b9
commit 22f5345026
Signed by: oysteikt
GPG Key ID: 9F2F7D8250F35146
1 changed files with 39 additions and 0 deletions

View File

@ -36,4 +36,43 @@
hydra-compress-logs.timerConfig.Slice = "system-hydra.slice"; hydra-compress-logs.timerConfig.Slice = "system-hydra.slice";
hydra-update-gc-roots.timerConfig.Slice = "system-hydra.slice"; hydra-update-gc-roots.timerConfig.Slice = "system-hydra.slice";
}; };
systemd.services.hydra-server.serviceConfig = {
Slice = "system-hydra.slice";
ReadOnlyPaths = [
"/nix/"
"/var/lib/hydra/scm/"
];
ReadWritePaths = [
"/nix/var/nix/gcroots/hydra/"
"/nix/var/nix/daemon-socket/socket"
];
LockPersonality = true;
# MemoryDenyWriteExecute = false;
NoNewPrivileges = true;
PermissionsStartOnly = true;
PrivateDevices = true;
PrivateMounts = true;
# PrivateNetwork=false
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
RemoveIPC = true;
Restart = "always";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
# StateDirectory=hydra/www
# StateDirectoryMode=700
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
};
} }