diff options
author | Thiago Kenji Okada <thiagokokada@gmail.com> | 2024-06-23 12:26:18 -0300 |
---|---|---|
committer | Thiago Kenji Okada <thiagokokada@gmail.com> | 2024-06-24 19:01:16 -0300 |
commit | 33f1e2ece3861c0bdd032d370e6d0b841728c372 (patch) | |
tree | db06f10600405a2d2a9085533ff46c739444ed54 /nixos/modules/services | |
parent | e1f89770af6dce5bef6c79924dc827424c103cbf (diff) |
nixos/rtorrent: add systemd hardening configuration
Diffstat (limited to 'nixos/modules/services')
-rw-r--r-- | nixos/modules/services/torrent/rtorrent.nix | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/nixos/modules/services/torrent/rtorrent.nix b/nixos/modules/services/torrent/rtorrent.nix index 009c2ffe0a5b..b2fa6c30c4e0 100644 --- a/nixos/modules/services/torrent/rtorrent.nix +++ b/nixos/modules/services/torrent/rtorrent.nix @@ -8,6 +8,8 @@ let opt = options.services.rtorrent; in { + meta.maintainers = with lib.maintainers; [ thiagokokada ]; + options.services.rtorrent = { enable = mkEnableOption "rtorrent"; @@ -203,6 +205,30 @@ in { ExecStart="${cfg.package}/bin/rtorrent -n -o system.daemon.set=true -o import=${rtorrentConfigFile}"; RuntimeDirectory = "rtorrent"; RuntimeDirectoryMode = 755; + + CapabilityBoundingSet = [ "" ]; + LockPersonality = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + # If the default user is changed, there is a good chance that they + # want to store data in e.g.: $HOME directory + # Relax hardening in this case + ProtectHome = lib.mkIf (cfg.user == "rtorrent") true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "full"; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged" ]; }; }; }; |