Merge #69

69: harmonia: more hardening r=Mic92 a=Mic92



Co-authored-by: Jörg Thalheim <[email protected]>

module.nix

@@ -4,8 +4,6 @@ let
 
   format = pkgs.formats.toml { };
   configFile = format.generate "harmonia.toml" cfg.settings;
-
-  harmonia = import ./. { inherit pkgs; };
 in
 {
   options = {
@@ -36,8 +34,6 @@ in
       priority = 50;
     };
 
-    environment.systemPackages = [ harmonia ];
-
     systemd.services.harmonia = {
       description = "harmonia binary cache service";
 
@@ -60,11 +56,14 @@ in
       environment.HOME = "/run/harmonia";
 
       serviceConfig = {
-        ExecStart = "${harmonia}/bin/harmonia";
+        ExecStart = "${import ./. { inherit pkgs; }}/bin/harmonia";
 
         User = "harmonia";
         Group = "harmonia";
         DynamicUser = true;
+        PrivateUsers = true;
+        DeviceAllow = [ "" ];
+        UMask = "0066";
 
         RuntimeDirectory = "harmonia";
         LoadCredential = lib.optional (cfg.signKeyPath != null) "sign-key:${cfg.signKeyPath}";
@@ -74,15 +73,28 @@ in
           "~@privileged"
           "~@resources"
         ];
+        CapabilityBoundingSet = "";
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectControlGroups = true;
+        ProtectKernelLogs = true;
+        ProtectHostname = true;
+        ProtectClock = true;
+        RestrictRealtime = true;
+        MemoryDenyWriteExecute = true;
+        ProcSubset = "pid";
+        ProtectProc = "invisible";
+        RestrictNamespaces = true;
+        SystemCallArchitectures = "native";
 
         PrivateNetwork = false;
         PrivateTmp = true;
         PrivateDevices = true;
         PrivateMounts = true;
-        ProtectProc = true;
         NoNewPrivileges = true;
         ProtectSystem = "strict";
         ProtectHome = true;
+        LockPersonality = true;
         RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
 
         LimitNOFILE = 65536;