versia-pub/server
2
0
Fork 0
mirror of https://github.com/versia-pub/server.git synced 2025-12-06 08:28:19 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat: 🔒 Harden Systemd unit config

Browse source
This commit is contained in:
Jesse Wierzbinski 2025-08-09 17:15:05 +02:00
parent a6c9d6cd4f
commit 4eae4cd062
No known key found for this signature in database
1 changed files with 22 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
nix/module.nix
View file

@ -123,6 +123,28 @@ in {
StandardError = "journal";
SyslogIdentifier = "${name}";
# Hardening
CapabilityBoundingSet = [""];
LockPersonality = true;
PrivateMounts = true;
PrivateTmp = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
RemoveIPC = true;
NoNewPrivileges = true;
Environment = [
"CONFIG_LOCATION=${configFile}"
];