nixos/restic-rest-server: Add additional service hardening

author: MinerSebas <scherthan_sebastian@web.de> 2024-03-16 07:32:20 +0100
committer: MinerSebas <scherthan_sebastian@web.de> 2024-03-16 08:18:50 +0100
commit: 7762c2233c801f22cb0e377dcef2a2b510609f9b (patch)
tree: 3154344d5f01ccc476d1f1653d564f7f09e59802 /nixos/modules/services/backup
parent: c197e4a1e0e3bc8a628e4de197b2e88c23af605e (diff)
1 files changed, 18 insertions, 1 deletions
diff --git a/nixos/modules/services/backup/restic-rest-server.nix b/nixos/modules/services/backup/restic-rest-server.nix
index 105a05caf304..34a2c51bbb27 100644
--- a/nixos/modules/services/backup/restic-rest-server.nix
+++ b/nixos/modules/services/backup/restic-rest-server.nix
@@ -80,13 +80,30 @@ in
         Group = "restic";
 
         # Security hardening
-        ReadWritePaths = [ cfg.dataDir ];
+        CapabilityBoundingSet = "";
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
         PrivateTmp = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectProc = "invisible";
         ProtectSystem = "strict";
         ProtectKernelTunables = true;
         ProtectKernelModules = true;
         ProtectControlGroups = true;
         PrivateDevices = true;
+        ReadWritePaths = [ cfg.dataDir ];
+        RemoveIPC = true;
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = "@system-service";
+        UMask = 027;
       };
     };
author	MinerSebas <scherthan_sebastian@web.de>	2024-03-16 07:32:20 +0100
committer	MinerSebas <scherthan_sebastian@web.de>	2024-03-16 08:18:50 +0100
commit	7762c2233c801f22cb0e377dcef2a2b510609f9b (patch)
tree	3154344d5f01ccc476d1f1653d564f7f09e59802 /nixos/modules/services/backup
parent	c197e4a1e0e3bc8a628e4de197b2e88c23af605e (diff)