From 048a0ad09cc333902d0585a4828538bc90a97706 Mon Sep 17 00:00:00 2001
From: Sergey Gulin <sergeygulin96@gmail.com>
Date: Tue, 5 Mar 2024 13:01:47 +0300
Subject: [PATCH] [OPS-1161] Add withHardeningProfile helper

Problem: We want to harden our systemd services by using previously
defined profiles, so we need a way to easily apply them to our systemd
service configurations.

Solution: Add withHardeningProfile helper, remove DeviceAllow from
profiles, because it is used incorrectly (systemd complains and skips
this option), and the semantics of this use is already covered by PrivateDevices.
---
 lib/default.nix          | 2 +-
 lib/systemd/default.nix  | 6 ++++++
 lib/systemd/profiles.nix | 1 -
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/lib/default.nix b/lib/default.nix
index 450f485..a5766e7 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -11,7 +11,7 @@
 
   haskell = import ./haskell.nix { inherit lib nixpkgs; inherit (cabal) getTestedWithVersions; };
 
-  systemd = import ./systemd;
+  systemd = import ./systemd { inherit lib; };
 
   types = import ./types.nix { inherit lib; };
 
diff --git a/lib/systemd/default.nix b/lib/systemd/default.nix
index fece4e7..f595ed3 100644
--- a/lib/systemd/default.nix
+++ b/lib/systemd/default.nix
@@ -1,3 +1,4 @@
+{ lib }:
 {
 
   hardeningProfiles = import ./profiles.nix;
@@ -5,4 +6,9 @@
   hardenServices = import ./harden-services.nix;
 
   userLevelServices = import ./user-level-services.nix;
+
+  withHardeningProfile = profile: serviceConfig: lib.mkMerge [
+    (builtins.mapAttrs (_: lib.mkDefault) profile)
+    serviceConfig
+  ];
 }
diff --git a/lib/systemd/profiles.nix b/lib/systemd/profiles.nix
index b8cced0..cc41871 100644
--- a/lib/systemd/profiles.nix
+++ b/lib/systemd/profiles.nix
@@ -42,7 +42,6 @@ rec {
     #   "~CLONE_NEWUTS"
     # ];
     RestrictNamespaces = "yes";
-    DeviceAllow = "no";
     IPAddressDeny = "any";
     KeyringMode = "private";
     NoNewPrivileges = "yes";