From c8db83b925a3470298428b7963a96b4a9eea8151 Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Wed, 12 Jul 2023 02:00:06 +0200
Subject: [PATCH] tsuki/plex: harden systemd unit

---
 hosts/tsuki/services/plex.nix | 28 ++++++++++++++++++++++++++--
 1 file changed, 26 insertions(+), 2 deletions(-)

diff --git a/hosts/tsuki/services/plex.nix b/hosts/tsuki/services/plex.nix
index 1eb511a..78c9fe7 100644
--- a/hosts/tsuki/services/plex.nix
+++ b/hosts/tsuki/services/plex.nix
@@ -1,10 +1,34 @@
-{ config, secrets, ... }:
-{
+{ config, secrets, ... }: let 
+  cfg = config.services.plex;
+in {
   services.plex = {
     enable = true;
     openFirewall = true;
     dataDir = "${config.machineVars.dataDrives.default}/var/plex";
   };
 
+  systemd.services.plex.serviceConfig = {
+    ReadWritePaths = [ cfg.dataDir ];
+    NoNewPrivileges = true;
+    PrivateDevices = true;
+    ProtectClock = true;
+    ProtectKernelLogs = true;
+    ProtectKernelModules = true;
+    PrivateMounts = true;
+    RestrictSUIDSGID = true;
+    ProtectHostname = true;
+    LockPersonality = true;
+    ProtectKernelTunables = true;
+    ProtectSystem = "strict";
+    ProtectProc = true;
+    ProtectHome = true;
+    # PrivateNetwork = true;
+    PrivateUsers = true;
+    PrivateTmp = true;
+    UMask = "0007";
+    # RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
+    SystemCallArchitectures = "native";
+  };
+
   # networking.firewall.allowedTCPPorts = [ secrets.ports.plex ];
 }