nixos/flaresolverr: add systemd hardening (5d67f1fa) · Commits · nix / nixpkgs

nixos/modules/services/misc/flaresolverr.nix

+62 −0

Original line number	Diff line number	Diff line
		@@ -46,10 +46,72 @@ in
		RestartSec = 5;
		Type = "simple";
		DynamicUser = true;
		UMask = "0077";
		RuntimeDirectory = "flaresolverr";
		WorkingDirectory = "/run/flaresolverr";
		ExecStart = lib.getExe cfg.package;
		TimeoutStopSec = 30;

		# Systemd hardening
		LockPersonality = true;
		PrivateDevices = true;
		PrivateMounts = true;
		PrivateUsers = true;
		ProtectClock = true;
		ProtectControlGroups = true;
		ProtectHome = true;
		ProtectHostname = true;
		ProtectKernelLogs = true;
		ProtectKernelModules = true;
		ProtectKernelTunables = true;
		ProtectProc = "invisible";
		RestrictRealtime = true;
		RestrictAddressFamilies = [
		"AF_INET"
		"AF_INET6"
		"AF_UNIX"
		];
		RestrictNamespaces = [
		"net"
		"pid"
		"user"
		];
		CapabilityBoundingSet = [
		"~CAP_BLOCK_SUSPEND"
		"~CAP_BPF"
		"~CAP_CHOWN"
		"~CAP_IPC_LOCK"
		"~CAP_MKNOD"
		"~CAP_NET_ADMIN"
		"~CAP_NET_RAW"
		"~CAP_PERFMON"
		"~CAP_SYSLOG"
		"~CAP_SYS_ADMIN"
		"~CAP_SYS_BOOT"
		"~CAP_SYS_MODULE"
		"~CAP_SYS_PACCT"
		"~CAP_SYS_PTRACE"
		"~CAP_SYS_TIME"
		"~CAP_WAKE_ALARM"
		];
		SystemCallFilter = [
		"~@chown"
		"~@clock"
		"~@cpu-emulation"
		"~@debug"
		"~@keyring"
		"~@memlock"
		"~@module"
		"~@obsolete"
		"~@pkey"
		"~@raw-io"
		"~@reboot"
		"~@setuid"
		"~@swap"
		"~@timer"
		];
		SystemCallErrorNumber = "EPERM";
		SystemCallArchitectures = "native";
		};
		};