nixos/minio: harden service

                (legacyCredentials cfg)

              else

                null;

            # hardening

            DevicePolicy = "closed";

            CapabilityBoundingSet = "";

            RestrictAddressFamilies = [

              "AF_INET"

              "AF_INET6"

              "AF_NETLINK"

              "AF_UNIX"

            ];

            DeviceAllow = "";

            NoNewPrivileges = true;

            PrivateDevices = true;

            PrivateMounts = true;

            PrivateTmp = true;

            PrivateUsers = true;

            ProtectClock = true;

            ProtectControlGroups = true;

            ProtectHome = true;

            ProtectKernelLogs = true;

            ProtectKernelModules = true;

            ProtectKernelTunables = true;

            MemoryDenyWriteExecute = true;

            LockPersonality = true;

            RemoveIPC = true;

            RestrictNamespaces = true;

            RestrictRealtime = true;

            RestrictSUIDSGID = true;

            SystemCallArchitectures = "native";

            SystemCallFilter = [

              "@system-service"

              "~@privileged"

            ];

            ProtectProc = "invisible";

            ProtectHostname = true;

            UMask = "0077";

            # minio opens /proc/mounts on startup

            ProcSubset = "all";

          };

          environment = {

            MINIO_REGION = "${cfg.region}";