From 6663a8f280c3d77ff8fbe5e252813ebc1600973b Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Fri, 28 Jul 2023 22:25:50 +0200
Subject: [PATCH] tsuki/atuin: systemd harden

---
 hosts/tsuki/services/atuin.nix | 38 ++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/hosts/tsuki/services/atuin.nix b/hosts/tsuki/services/atuin.nix
index 399c815..26f9b78 100644
--- a/hosts/tsuki/services/atuin.nix
+++ b/hosts/tsuki/services/atuin.nix
@@ -4,4 +4,42 @@
     enable = true;
     openRegistration = false;
   };
+
+  systemd.services.atuin = {
+    requires = [ "postgresql.service" ];
+    serviceConfig = {
+      # Hardening
+      CapabilityBoundingSet = "";
+      LockPersonality = true;
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      PrivateMounts = true;
+      PrivateTmp = true;
+      PrivateUsers = true;
+      ProcSubset = "pid";
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ProtectSystem = "full";
+      RemoveIPC = true;
+      RestrictAddressFamilies = [
+        "AF_INET"
+        "AF_INET6"
+        # Required for connecting to database sockets,
+        # and listening to unix socket at `cfg.settings.path`
+        "AF_UNIX"
+      ];
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap @privileged";
+      UMask = "0007";
+    };
+  };
 }