nixos/bluetooth: add systemd hardening

  package = cfg.package;

  inherit (lib)

    mkDefault

    mkEnableOption

    mkIf

    mkOption

    mkRemovedOptionModule

    concatStringsSep

    escapeShellArgs

    literalExpression

    optional

    optionals

    optionalAttrs

    recursiveUpdate

    types

          {

            wantedBy = [ "bluetooth.target" ];

            aliases = [ "dbus-org.bluez.service" ];

            serviceConfig.ExecStart = [

            serviceConfig = {

              ExecStart = [

                ""

                "${package}/libexec/bluetooth/bluetoothd ${escapeShellArgs args}"

              ];

              CapabilityBoundingSet = [

                "CAP_NET_BIND_SERVICE" # sockets and tethering

              ];

              NoNewPrivileges = true;

              RestrictNamespaces = true;

              ProtectControlGroups = true;

              MemoryDenyWriteExecute = true;

              RestrictSUIDSGID = true;

              SystemCallArchitectures = "native";

              SystemCallFilter = "@system-service";

              LockPersonality = true;

              RestrictRealtime = true;

              ProtectProc = "invisible";

              PrivateTmp = true;

              PrivateUsers = false;

              # loading hardware modules

              ProtectKernelModules = false;

              ProtectKernelTunables = false;

              PrivateNetwork = false; # tethering

            };

            # restarting can leave people without a mouse/keyboard

            unitConfig.X-RestartIfChanged = false;

          };