Noratrieb/vps
1
0
Fork 0
mirror of https://github.com/Noratrieb/vps.git synced 2026-01-14 16:55:00 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

harden

Browse source
This commit is contained in:
nora 2025-08-18 21:54:20 +02:00
parent 6206de09bb
commit d21158e234
2 changed files with 31 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

15
nix/apps/widetom/default.nix
View file

@ -32,6 +32,21 @@ in
serviceConfig = { serviceConfig = {
DynamicUser = true; DynamicUser = true;
ExecStart = lib.getExe widetom; ExecStart = lib.getExe widetom;
PrivateDevices = true;
ProtectHome = true;
ProtectClock = true;
ProtectKernelLogs = true;
ProtectHostname = true;
ProtectKernelTunables = true;
CapabilityBoundingSet = "";
ProtectProc = "noaccess";
RestrictNamespaces = true;
MemoryDenyWriteExecute = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
SystemCallArchitectures = "";
SystemCallFilter = "@system-service";
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
}; };
}; };

16
nix/modules/default/default.nix
View file

@ -188,6 +188,22 @@ in
}; };
systemd.services.alloy.serviceConfig = { systemd.services.alloy.serviceConfig = {
DynamicUser = lib.mkForce false; DynamicUser = lib.mkForce false;
PrivateDevices = true;
ProtectClock = true;
ProtectKernelLogs = true;
PrivateMounts = true;
ProtectControlGroups = true;
ProtectHostname = true;
LockPersonality = true;
ProtectKernelTunables = true;
ProtectSystem = true;
ProtectHome = true;
PrivateTmp = true;
NoNewPrivileges = true;
RestrictNamespaces = "";
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
# TODO: find what's required for /proc/kallsyms (it should be CAP_SYSLOG!)
# CapabilityBoundingSet = "CAP_SYS_PTRACE CAP_BPF CAP_SYSLOG";
}; };
environment.etc."alloy/config.alloy".text = '' environment.etc."alloy/config.alloy".text = ''
discovery.process "all" { discovery.process "all" {