[OPS-1161] Harden systemd service

Sereja313 · Sereja313 · commit 8d7ec35afcc7 · 2024-03-05T13:46:38.000+03:00
Problem: We want to harden the security of our systemd services.

Solution: Use the hardening profile defined in serokell.nix.
diff --git a/module.nix b/module.nix
@@ -50,14 +50,32 @@ in
         export SLACK_TZ_BOT_TOKEN="${cfg.slackBotToken}"
         ${cfg.package}/bin/tzbot-exe --config ${pkgs.writeText "config.yml" (builtins.toJSON cfg.botConfig)}
       '';
+
       startLimitBurst = mkDefault 5;
       startLimitIntervalSec = mkDefault 300;
-      serviceConfig = {
+      serviceConfig = withHardeningProfile hardeningProfiles.backend {
         User = "tzbot";
         Group = "tzbot";
         StateDirectory = "tzbot";
         Restart = mkDefault "on-failure";
         RestartSec = mkDefault 10;
+
+        SystemCallFilter = [
+          "~@clock"
+          "~@debug"
+          "~@module"
+          "~@mount"
+          "~@raw-io"
+          "~@reboot"
+          "~@swap"
+          "~@privileged"
+          "~@resources"
+          "~@cpu-emulation"
+          "~@obsolete"
+
+          # override hardening profile
+          "set_mempolicy"
+        ];
       };
     };
     users.users.tzbot = {
