tsuki/borg: partial systemd hardening

There's still quite a bit to do, but the service fails on a weird option
that I've not been able to pin down. At least this is better than
nothing ¯\_(ツ)_/¯

hosts/tsuki/services/borg.nix

@@ -1,5 +1,6 @@
-{ config, ... }:
+{ config, lib, ... }: let
-{
+  cfg = config.services.borgbackup;
+in {
   services.borgbackup.jobs = let
     createJob = path: endpoint: {
       paths = path;
@@ -14,4 +15,44 @@
     minecraft = createJob config.services.minecraft-servers.dataDir "minecraft";
     gitea = createJob config.services.gitea.dump.backupDir "gitea";
   };
+
+  systemd.services = lib.mkMerge ((lib.flip map) (builtins.attrNames cfg.jobs) (name: {
+    "borgbackup-job-${name}".serviceConfig = {
+      # DynamicUser = true;
+      BindReadOnlyPaths = [
+        "/home/h7x4/.ssh/id_rsa"
+        cfg.jobs.${name}.paths
+      ];
+      # IPAddressAllow="10.0.0.220";
+
+      # hardening
+      # CapabilityBoundingSet = "";
+      LockPersonality = true;
+      # MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      # PrivateMounts = true;
+      # PrivateTmp = true;
+      # PrivateUsers = true;
+      ProtectClock = true;
+      # ProtectHome = "read-only";
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      # ProtectSystem = "strict";
+      RemoveIPC = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies = [
+        "AF_INET"
+        "AF_INET6"
+      ];
+      # SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+      ];
+      UMask = "0077";
+    };
+  }));
 }