tsuki/borg: partial systemd hardening

There's still quite a bit to do, but the service fails on a weird option that I've not been able to pin down. At least this is better than nothing ¯\_(ツ)_/¯
2023-10-06 13:44:53 +02:00 · 2023-10-06 13:44:53 +02:00 · 5bb10df9e1
parent 450d26cf4b
commit 5bb10df9e1
1 changed files with 43 additions and 2 deletions
--- a/hosts/tsuki/services/borg.nix
+++ b/hosts/tsuki/services/borg.nix
@ -1,5 +1,6 @@
-{ config, ... }:
-{
+{ config, lib, ... }: let
+  cfg = config.services.borgbackup;
+in {
  services.borgbackup.jobs = let
    createJob = path: endpoint: {
      paths = path;
@ -14,4 +15,44 @@
    minecraft = createJob config.services.minecraft-servers.dataDir "minecraft";
    gitea = createJob config.services.gitea.dump.backupDir "gitea";
  };
+
+  systemd.services = lib.mkMerge ((lib.flip map) (builtins.attrNames cfg.jobs) (name: {
+    "borgbackup-job-${name}".serviceConfig = {
+      # DynamicUser = true;
+      BindReadOnlyPaths = [
+        "/home/h7x4/.ssh/id_rsa"
+        cfg.jobs.${name}.paths
+      ];
+      # IPAddressAllow="10.0.0.220";
+
+      # hardening
+      # CapabilityBoundingSet = "";
+      LockPersonality = true;
+      # MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      # PrivateMounts = true;
+      # PrivateTmp = true;
+      # PrivateUsers = true;
+      ProtectClock = true;
+      # ProtectHome = "read-only";
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      # ProtectSystem = "strict";
+      RemoveIPC = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies = [
+        "AF_INET"
+        "AF_INET6"
+      ];
+      # SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+      ];
+      UMask = "0077";
+    };
+  }));
 }