pyrox.dev / nixpkgs
lol
fork atom

nixos/wakapi: harden systemd service

when using `systemd-analyze security wakapi.service` we went from a 5.9
to a 3.

isabelroses.com c7968cf1 2b4960c7

options
unified split
Changed files
+8 -1
nixos
modules
services
web-apps
wakapi.nix
+8 -1
nixos/modules/services/web-apps/wakapi.nix 
···

       
159

       
 

       
        Group = config.users.users.wakapi.group;


     

       
160

       
 

       



     

       
161

       
 

       
        DynamicUser = true;


     

       

       

       
     

       

       

       
     

       

       

       
     

       
162

       
 

       
        ProtectHome = true;


     

       
163

       
 

       
        ProtectHostname = true;


     

       

       

       
     

       
164

       
 

       
        ProtectKernelLogs = true;


     

       
165

       
 

       
        ProtectKernelModules = true;


     

       
166

       
 

       
        ProtectKernelTunables = true;


     

       

       

       
     

       

       

       
     

       
167

       
 

       
        ProtectProc = "invisible";


     

       
168

       
-

       
        ProtectSystem = "strict";


     

       
169

       
 

       
        RestrictAddressFamilies = [


     

       
170

       
 

       
          "AF_INET"


     

       
171

       
 

       
          "AF_INET6"


     

       
172

       
 

       
          "AF_UNIX"


     

       
173

       
 

       
        ];


     

       

       

       
     

       
174

       
 

       
        RestrictNamespaces = true;


     

       
175

       
 

       
        RestrictRealtime = true;


     

       
176

       
 

       
        RestrictSUIDSGID = true;


     
···

       
159

       
 

       
        Group = config.users.users.wakapi.group;


     

       
160

       
 

       



     

       
161

       
 

       
        DynamicUser = true;


     

       
162

       
+

       
        PrivateTmp = true;


     

       
163

       
+

       
        PrivateUsers = true;


     

       
164

       
+

       
        PrivateDevices = true;


     

       
165

       
 

       
        ProtectHome = true;


     

       
166

       
 

       
        ProtectHostname = true;


     

       
167

       
+

       
        ProtectClock = true;


     

       
168

       
 

       
        ProtectKernelLogs = true;


     

       
169

       
 

       
        ProtectKernelModules = true;


     

       
170

       
 

       
        ProtectKernelTunables = true;


     

       
171

       
+

       
        ProtectControlGroups = true;


     

       
172

       
+

       
        NoNewPrivileges = true;


     

       
173

       
 

       
        ProtectProc = "invisible";


     

       
174

       
+

       
        ProtectSystem = "full";


     

       
175

       
 

       
        RestrictAddressFamilies = [


     

       
176

       
 

       
          "AF_INET"


     

       
177

       
 

       
          "AF_INET6"


     

       
178

       
 

       
          "AF_UNIX"


     

       
179

       
 

       
        ];


     

       
180

       
+

       
        CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";


     

       
181

       
 

       
        RestrictNamespaces = true;


     

       
182

       
 

       
        RestrictRealtime = true;


     

       
183

       
 

       
        RestrictSUIDSGID = true;