tsuki/vaultwarden: systemd harden

This commit is contained in:
Oystein Kristoffer Tveit 2023-07-28 21:52:51 +02:00
parent 0137f4f5a9
commit 816a46603a
Signed by: oysteikt
GPG Key ID: 9F2F7D8250F35146
1 changed files with 33 additions and 0 deletions

View File

@ -19,6 +19,39 @@
systemd.services.vaultwarden = {
requires = [ "postgresql.service" ];
serviceConfig = {
# Extra hardening
CapabilityBoundingSet = "";
LockPersonality = true;
NoNewPrivileges = true;
# MemoryDenyWriteExecute = true;
PrivateMounts = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RemoveIPC = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
];
UMask = "0007";
};
};
services.postgresql = {