From eacd30027edbc33a4529bf1cb65fd568f52a20f8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Sun, 7 May 2023 16:54:29 +0200
Subject: [PATCH 1/2] more hardening

---
 module.nix | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/module.nix b/module.nix
index d63656ee..691e2e4a 100644
--- a/module.nix
+++ b/module.nix
@@ -65,6 +65,9 @@ in
         User = "harmonia";
         Group = "harmonia";
         DynamicUser = true;
+        PrivateUsers = true;
+        DeviceAllow = [""];
+        UMask = "0066";
 
         RuntimeDirectory = "harmonia";
         LoadCredential = lib.optional (cfg.signKeyPath != null) "sign-key:${cfg.signKeyPath}";
@@ -74,15 +77,28 @@ in
           "~@privileged"
           "~@resources"
         ];
+        CapabilityBoundingSet = "";
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectControlGroups = true;
+        ProtectKernelLogs = true;
+        ProtectHostname = true;
+        ProtectClock = true;
+        RestrictRealtime = true;
+        MemoryDenyWriteExecute = true;
+        ProcSubset = "pid";
+        ProtectProc = "invisible";
+        RestrictNamespaces = true;
+        SystemCallArchitectures = "native";
 
         PrivateNetwork = false;
         PrivateTmp = true;
         PrivateDevices = true;
         PrivateMounts = true;
-        ProtectProc = true;
         NoNewPrivileges = true;
         ProtectSystem = "strict";
         ProtectHome = true;
+        LockPersonality = true;
         RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
 
         LimitNOFILE = 65536;

From b194fd1649e621fd270f9799d1bcce0705191b98 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Sun, 7 May 2023 18:32:35 +0200
Subject: [PATCH 2/2] nixos: drop harmonia package from systemPackages

---
 module.nix | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/module.nix b/module.nix
index 691e2e4a..86a0a5d5 100644
--- a/module.nix
+++ b/module.nix
@@ -4,8 +4,6 @@ let
 
   format = pkgs.formats.toml { };
   configFile = format.generate "harmonia.toml" cfg.settings;
-
-  harmonia = import ./. { inherit pkgs; };
 in
 {
   options = {
@@ -36,8 +34,6 @@ in
       priority = 50;
     };
 
-    environment.systemPackages = [ harmonia ];
-
     systemd.services.harmonia = {
       description = "harmonia binary cache service";
 
@@ -60,13 +56,13 @@ in
       environment.HOME = "/run/harmonia";
 
       serviceConfig = {
-        ExecStart = "${harmonia}/bin/harmonia";
+        ExecStart = "${import ./. { inherit pkgs; }}/bin/harmonia";
 
         User = "harmonia";
         Group = "harmonia";
         DynamicUser = true;
         PrivateUsers = true;
-        DeviceAllow = [""];
+        DeviceAllow = [ "" ];
         UMask = "0066";
 
         RuntimeDirectory = "harmonia";