From 45be7bbc1323c3face77e9a28bc0279e92a2d4b5 Mon Sep 17 00:00:00 2001
From: Sergey Gulin <sergeygulin96@gmail.com>
Date: Tue, 5 Mar 2024 13:47:19 +0300
Subject: [PATCH] [OPS-1161] Harden systemd services

Problem: We want to harden the security of our systemd services.

Solution: Update hardened services, harden swampwalk service, import
serokell-nix.lib.systemd.hardenServices.
---
 common.nix                    |  1 +
 servers/alzirr/deployment.nix | 22 ++++++++++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/common.nix b/common.nix
index f1236e2..20facff 100644
--- a/common.nix
+++ b/common.nix
@@ -4,6 +4,7 @@
     inputs.serokell-nix.nixosModules.serokell-users
     inputs.vault-secrets.nixosModules.vault-secrets
     inputs.serokell-nix.nixosModules.wireguard-monitoring
+    inputs.serokell-nix.lib.systemd.hardenServices
   ];
 
   networking.domain = "gemini.serokell.team";
diff --git a/servers/alzirr/deployment.nix b/servers/alzirr/deployment.nix
index 691562d..1c8fed3 100644
--- a/servers/alzirr/deployment.nix
+++ b/servers/alzirr/deployment.nix
@@ -39,6 +39,28 @@ in
       User = "sweater";
       Group = "users";
       ExecStart = "${swampwalk2-profile}/bin/swampwalk-server";
+
+      # hardening options
+      CapabilityBoundingSet = [
+        "CAP_CHOWN"
+        "CAP_SETUID"
+        "CAP_SETGID"
+        "CAP_FOWNER"
+        "CAP_DAC_OVERRIDE"
+      ];
+      AmbientCapabilities = [ "" ];
+      DeviceAllow = "no";
+      KeyringMode = "private";
+      NotifyAccess = "none";
+      PrivateMounts = "yes";
+      PrivateTmp = "yes";
+      ProtectControlGroups = "yes";
+      ProtectProc = "invisible";
+      SupplementaryGroups = [ "" ];
+      Delegate = "no";
+      RemoveIPC = "yes";
+      UMask = "0027";
+      ProcSubset = "pid";
     };
   };