From 36c9a5affcc250d79c3287c22bf5020705a1baf7 Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Wed, 5 Nov 2025 09:37:20 +0900
Subject: [PATCH] common/wpa_supplicant: harden

---
 hosts/common/default.nix                 |  1 +
 hosts/common/services/wpa_supplicant.nix | 63 ++++++++++++++++++++++++
 2 files changed, 64 insertions(+)
 create mode 100644 hosts/common/services/wpa_supplicant.nix

diff --git a/hosts/common/default.nix b/hosts/common/default.nix
index 81b4cbb..e592196 100644
--- a/hosts/common/default.nix
+++ b/hosts/common/default.nix
@@ -41,6 +41,7 @@ in {
     ./services/uptimed.nix
     ./services/userborn.nix
     ./services/userdbd.nix
+    ./services/wpa_supplicant.nix
     ./services/xserver.nix
   ];
 
diff --git a/hosts/common/services/wpa_supplicant.nix b/hosts/common/services/wpa_supplicant.nix
new file mode 100644
index 0000000..98df4d5
--- /dev/null
+++ b/hosts/common/services/wpa_supplicant.nix
@@ -0,0 +1,63 @@
+{ config, lib, ... }:
+let
+  cfg = config.networking.wireless;
+in
+{
+  systemd.services.wpa_supplicant.serviceConfig = lib.mkIf (cfg.enable || config.networking.hostName == "xps16") {
+    RuntimeDirectory = [
+      "wpa_supplicant"
+      "wpa_supplicant/root-mnt"
+    ];
+    RootDirectory = "/run/wpa_supplicant/root-mnt";
+    BindPaths = [
+      "/etc"
+      "/run/dbus/system_bus_socket"
+      "/tmp"
+    ];
+    BindReadOnlyPaths = [
+      # "/bin/sh"
+      builtins.storeDir
+    ];
+
+    # wpa_ctrl puts sockets in /tmp
+    PrivateTmp = false;
+    # PrivateTmp = lib.mkIf (configIsGenerated && !cfg.allowAuxiliaryImperativeNetworks) "disconnected";
+
+    CapabilityBoundingSet = [
+      "CAP_NET_ADMIN"
+      "CAP_BLOCK_SUSPEND"
+      "CAP_NET_RAW"
+      "CAP_CHOWN"
+    ];
+    RestrictNamespaces = true;
+    SystemCallFilter = [
+      "@system-service"
+      "~@resources"
+      "@chown"
+    ];
+    ProtectProc = "invisible";
+    SystemCallArchitectures = "native";
+    DeviceAllow = "/dev/rfkill";
+    DevicePolicy = "closed";
+    NoNewPrivileges = true;
+    ProtectKernelLogs = true;
+    ProtectControlGroups = true;
+    ProtectKernelModules = true;
+    ProtectSystem = true;
+    ProtectHome = true;
+    MemoryDenyWriteExecute = true;
+    ProtectHostname = true;
+    LockPersonality = true;
+    RestrictRealtime = true;
+    RestrictSUIDSGID = true;
+    RestrictAddressFamilies = [
+      "AF_INET"
+      "AF_INET6"
+      "AF_NETLINK"
+      "AF_PACKET"
+      # "AF_ALG" # Used for 'linux' TLS backend
+    ] ++ lib.optionals cfg.dbusControlled [
+      "AF_UNIX"
+    ];
+  };
+}