tsuki/vaultwarden: systemd harden

2023-07-28 21:52:51 +02:00 · 2023-07-28 21:52:51 +02:00 · 816a46603a
parent 0137f4f5a9
commit 816a46603a
1 changed files with 33 additions and 0 deletions
--- a/hosts/tsuki/services/vaultwarden.nix
+++ b/hosts/tsuki/services/vaultwarden.nix
@ -19,6 +19,39 @@

  systemd.services.vaultwarden = {
    requires = [ "postgresql.service" ];
+
+    serviceConfig = {
+      # Extra hardening
+      CapabilityBoundingSet = "";
+      LockPersonality = true;
+      NoNewPrivileges = true;
+      # MemoryDenyWriteExecute = true;
+      PrivateMounts = true;
+      PrivateUsers = true;
+      ProcSubset = "pid";
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      RestrictAddressFamilies = [
+        "AF_INET"
+        "AF_INET6"
+        "AF_UNIX"
+      ];
+      RemoveIPC = true;
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+        "~@privileged"
+      ];
+      UMask = "0007";
+    };
  };

  services.postgresql = {