From 4eae4cd0627434ebdd2c29ad50244d0047f6a9da Mon Sep 17 00:00:00 2001
From: Jesse Wierzbinski <contact@cpluspatch.com>
Date: Sat, 9 Aug 2025 17:15:05 +0200
Subject: [PATCH] feat: :lock: Harden Systemd unit config

---
 nix/module.nix | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/nix/module.nix b/nix/module.nix
index dee7d70d..85cf910b 100644
--- a/nix/module.nix
+++ b/nix/module.nix
@@ -123,6 +123,28 @@ in {
             StandardError = "journal";
             SyslogIdentifier = "${name}";
 
+            # Hardening
+            CapabilityBoundingSet = [""];
+            LockPersonality = true;
+            PrivateMounts = true;
+            PrivateTmp = true;
+            ProcSubset = "pid";
+            ProtectClock = true;
+            ProtectControlGroups = true;
+            ProtectHome = true;
+            ProtectHostname = true;
+            ProtectKernelLogs = true;
+            ProtectKernelModules = true;
+            ProtectKernelTunables = true;
+            ProtectProc = "invisible";
+            ProtectSystem = "strict";
+            RestrictNamespaces = true;
+            RestrictRealtime = true;
+            RestrictSUIDSGID = true;
+            SystemCallArchitectures = "native";
+            RemoveIPC = true;
+            NoNewPrivileges = true;
+
             Environment = [
               "CONFIG_LOCATION=${configFile}"
             ];