modules/socketActivation: misc updates

2024-01-23 05:42:22 +01:00 · 2024-01-23 05:42:22 +01:00 · 64152ef675
parent b8daea8fc1
commit 64152ef675
1 changed files with 37 additions and 2 deletions
--- a/modules/socketActivation.nix
+++ b/modules/socketActivation.nix
@ -121,17 +121,52 @@ in
              connections-max = value.connectionsMax;
            };
          in ''${pkgs.systemd}/lib/systemd/systemd-socket-proxyd ${args} "${cfg.${name}.originalSocketAddress}"'';
+
+          CapabilityBoundingSet = "";
+          LockPersonality = true;
+          NoNewPrivileges = true;
+          PrivateDevices = true;
+          PrivateMounts = true;
          PrivateNetwork = value.privateNamespace;
+          PrivateTmp = true;
+          PrivateUsers = true;
+          ProcSubset = "pid";
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          # ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectProc = "invisible";
+          ProtectSystem = "strict";
+          RemoveIPC = true;
+          RestrictAddressFamilies = [
+            "AF_INET"
+            "AF_INET6"
+            "AF_UNIX"
+          ];
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          SystemCallArchitectures = "native";
+          SystemCallFilter = [
+            "@system-service"
+            "~@privileged"
+          ];
+          UMask = "0007";
        };
      };

      services.${name} = {
+        wantedBy = lib.mkForce [ ];
        unitConfig = {
          StopWhenUnneeded = true;
+          RefuseManualStart = true;
        };

-        serviceConfig = lib.mkIf value.privateNamespace {
-          PrivateNetwork = true;
+        serviceConfig = {
+          PrivateNetwork = value.privateNamespace;
        };
      };
    }));