From 3c3dd10fca6e35bcf863a21e982225b30b621b7f Mon Sep 17 00:00:00 2001 From: Daniel Kempkens Date: Wed, 3 Jul 2024 21:24:35 +0200 Subject: [PATCH] weewx: harden systemd service --- flake.nix | 1 + system/nixos/weewx.nix | 21 +++++++++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/flake.nix b/flake.nix index edf1bbd..acb1a49 100644 --- a/flake.nix +++ b/flake.nix @@ -170,6 +170,7 @@ perSystem = { config, pkgs, inputs', ... }: { treefmt = { + package = pkgs.treefmt1; inherit (config.flake-root) projectRootFile; programs = { diff --git a/system/nixos/weewx.nix b/system/nixos/weewx.nix index 85fe455..77e67d8 100644 --- a/system/nixos/weewx.nix +++ b/system/nixos/weewx.nix @@ -41,6 +41,27 @@ in Group = "weewx"; ExecStart = "${pkg}/bin/weewxd --config=${config.age.secrets.weewx-config.path}"; ExecStopPost = "-!${lib.getExe pkgs.umount} ${home}/weewx-data"; + + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "" ]; + LockPersonality = true; + PrivateDevices = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; }; };