Deployment and lifecycle management for Nix
nix: harden sower-agent systemd service
Apply comprehensive systemd hardening to the agent service,
reducing exposure score from 8.6 to 1.5. Adds filesystem,
kernel, namespace, capability, and syscall protections while
preserving network access and activator socket functionality.
sow-17
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
+36
-3
+36
-3
nix/nixos/agent.nix
+36
-3
nix/nixos/agent.nix
···
149
149
LoadCredential = cfg.credentials;
150
150
151
151
# DynamicUser = true;
152
-
ProtectSystem = "full";
153
-
ProtectHome = "tmpfs";
152
+
NoNewPrivileges = true;
153
+
ProtectSystem = "strict";
154
+
ProtectHome = true;
154
155
PrivateTmp = true;
155
-
NoNewPrivileges = false;
156
+
ProtectKernelTunables = true;
157
+
ProtectKernelModules = true;
158
+
ProtectKernelLogs = true;
159
+
ProtectControlGroups = true;
160
+
ProtectClock = true;
161
+
ProtectHostname = true;
162
+
ProtectProc = "invisible";
163
+
ProcSubset = "pid";
164
+
PrivateDevices = true;
165
+
RestrictNamespaces = true;
166
+
RestrictRealtime = true;
167
+
RestrictSUIDSGID = true;
168
+
LockPersonality = true;
169
+
RemoveIPC = true;
170
+
CapabilityBoundingSet = "";
171
+
SystemCallArchitectures = "native";
172
+
# omit @privileged and @resources — BEAM VM may need them
173
+
SystemCallFilter = [
174
+
"~@mount"
175
+
"~@reboot"
176
+
"~@swap"
177
+
"~@obsolete"
178
+
"~@clock"
179
+
"~@cpu-emulation"
180
+
"~@debug"
181
+
"~@module"
182
+
"~@raw-io"
183
+
];
184
+
RestrictAddressFamilies = [
185
+
"AF_UNIX"
186
+
"AF_INET"
187
+
"AF_INET6"
188
+
];
156
189
SupplementaryGroups = lib.optionals activatorCfg.enable [ activatorCfg.socketGroup ];
157
190
User = "sower-agent";
158
191
Group = "sower-agent";