From 945d53cdb4e515ef25914c9c0cadc7c5f20ddfa2 Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Thu, 22 Aug 2024 22:59:32 +0200
Subject: [PATCH] bekkalokk/vaultwarden: systemd hardening

---
 hosts/bekkalokk/services/vaultwarden.nix | 36 ++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/hosts/bekkalokk/services/vaultwarden.nix b/hosts/bekkalokk/services/vaultwarden.nix
index 13722ce..f4a7477 100644
--- a/hosts/bekkalokk/services/vaultwarden.nix
+++ b/hosts/bekkalokk/services/vaultwarden.nix
@@ -65,4 +65,40 @@ in {
       proxyWebsockets = true;
     };
   };
+
+  systemd.services.vaultwarden = lib.mkIf cfg.enable {
+    serviceConfig = {
+      AmbientCapabilities = [ "" ];
+      CapabilityBoundingSet = [ "" ];
+      DeviceAllow = [ "" ];
+      LockPersonality = true;
+      NoNewPrivileges = true;
+      # MemoryDenyWriteExecute = true;
+      PrivateMounts = true;
+      PrivateUsers = true;
+      ProcSubset = "pid";
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      RestrictAddressFamilies = [
+        "AF_INET"
+        "AF_INET6"
+        "AF_UNIX"
+      ];
+      RemoveIPC = true;
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+        "~@privileged"
+      ];
+      UMask = "0007";
+    };
+  };
 }