tsuki/borg: partial systemd hardening

There's still quite a bit to do, but the service fails on a weird option
that I've not been able to pin down. At least this is better than
nothing ¯\_(ツ)_/¯
This commit is contained in:
Oystein Kristoffer Tveit 2023-10-06 13:44:53 +02:00
parent 450d26cf4b
commit 5bb10df9e1
Signed by: oysteikt
GPG Key ID: 9F2F7D8250F35146
1 changed files with 43 additions and 2 deletions

View File

@ -1,5 +1,6 @@
{ config, ... }:
{
{ config, lib, ... }: let
cfg = config.services.borgbackup;
in {
services.borgbackup.jobs = let
createJob = path: endpoint: {
paths = path;
@ -14,4 +15,44 @@
minecraft = createJob config.services.minecraft-servers.dataDir "minecraft";
gitea = createJob config.services.gitea.dump.backupDir "gitea";
};
systemd.services = lib.mkMerge ((lib.flip map) (builtins.attrNames cfg.jobs) (name: {
"borgbackup-job-${name}".serviceConfig = {
# DynamicUser = true;
BindReadOnlyPaths = [
"/home/h7x4/.ssh/id_rsa"
cfg.jobs.${name}.paths
];
# IPAddressAllow="10.0.0.220";
# hardening
# CapabilityBoundingSet = "";
LockPersonality = true;
# MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
# PrivateMounts = true;
# PrivateTmp = true;
# PrivateUsers = true;
ProtectClock = true;
# ProtectHome = "read-only";
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
# ProtectSystem = "strict";
RemoveIPC = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
];
# SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
];
UMask = "0077";
};
}));
}