Our Personal Data Server from scratch!
tranquil.farm
pds
rust
database
fun
oauth
atproto
Further harden systemd service
authored by
Isla
and committed by
tangled.org
5dc810ce
6abc0eac
+16
-3
+16
-3
module.nix
+16
-3
module.nix
···
194
194
serviceConfig = {
195
195
User = cfg.user;
196
196
Group = cfg.group;
197
+
UMask = "0077";
197
198
ExecStart = lib.getExe cfg.package;
198
199
Restart = "on-failure";
199
200
RestartSec = 5;
200
201
201
202
WorkingDirectory = cfg.dataDir;
202
203
StateDirectory = "tranquil-pds";
204
+
ReadWritePaths = [
205
+
cfg.settings.storage.path
206
+
];
203
207
204
208
EnvironmentFile = cfg.environmentFiles;
205
209
210
+
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
211
+
ProtectProc = "invisible";
212
+
ProcSubset = "pid";
206
213
NoNewPrivileges = true;
207
214
ProtectSystem = "strict";
208
215
ProtectHome = true;
209
216
PrivateTmp = true;
210
217
PrivateDevices = true;
218
+
PrivateUsers = true;
219
+
ProtectHostname = true;
220
+
ProtectClock = true;
211
221
ProtectKernelTunables = true;
212
222
ProtectKernelModules = true;
223
+
ProtectKernelLogs = true;
213
224
ProtectControlGroups = true;
214
225
RestrictAddressFamilies = [
215
226
"AF_INET"
···
222
233
RestrictRealtime = true;
223
234
RestrictSUIDSGID = true;
224
235
RemoveIPC = true;
225
-
226
-
ReadWritePaths = [
227
-
cfg.settings.storage.path
236
+
PrivateMounts = true;
237
+
SystemCallFilter = [
238
+
"@system-service"
239
+
"~@privileged @resources"
228
240
];
241
+
SystemCallArchitectures = "native";
229
242
};
230
243
};
231
244
}