tsuki/borg: partial systemd hardening
There's still quite a bit to do, but the service fails on a weird option that I've not been able to pin down. At least this is better than nothing ¯\_(ツ)_/¯
This commit is contained in:
parent
450d26cf4b
commit
5bb10df9e1
@ -1,5 +1,6 @@
|
||||
{ config, ... }:
|
||||
{
|
||||
{ config, lib, ... }: let
|
||||
cfg = config.services.borgbackup;
|
||||
in {
|
||||
services.borgbackup.jobs = let
|
||||
createJob = path: endpoint: {
|
||||
paths = path;
|
||||
@ -14,4 +15,44 @@
|
||||
minecraft = createJob config.services.minecraft-servers.dataDir "minecraft";
|
||||
gitea = createJob config.services.gitea.dump.backupDir "gitea";
|
||||
};
|
||||
|
||||
systemd.services = lib.mkMerge ((lib.flip map) (builtins.attrNames cfg.jobs) (name: {
|
||||
"borgbackup-job-${name}".serviceConfig = {
|
||||
# DynamicUser = true;
|
||||
BindReadOnlyPaths = [
|
||||
"/home/h7x4/.ssh/id_rsa"
|
||||
cfg.jobs.${name}.paths
|
||||
];
|
||||
# IPAddressAllow="10.0.0.220";
|
||||
|
||||
# hardening
|
||||
# CapabilityBoundingSet = "";
|
||||
LockPersonality = true;
|
||||
# MemoryDenyWriteExecute = true;
|
||||
NoNewPrivileges = true;
|
||||
PrivateDevices = true;
|
||||
# PrivateMounts = true;
|
||||
# PrivateTmp = true;
|
||||
# PrivateUsers = true;
|
||||
ProtectClock = true;
|
||||
# ProtectHome = "read-only";
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectProc = "invisible";
|
||||
# ProtectSystem = "strict";
|
||||
RemoveIPC = true;
|
||||
RestrictSUIDSGID = true;
|
||||
RestrictAddressFamilies = [
|
||||
"AF_INET"
|
||||
"AF_INET6"
|
||||
];
|
||||
# SystemCallArchitectures = "native";
|
||||
SystemCallFilter = [
|
||||
"@system-service"
|
||||
];
|
||||
UMask = "0077";
|
||||
};
|
||||
}));
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user