nixos/attestation-server: synchronize systemd options with upstream

nix-community · Apr 30, 2021 · d232ba3 · d232ba3
1 parent 6bce99c
commit d232ba3
Showing 1 changed file with 29 additions and 4 deletions.
diff --git a/nixos/attestation-server/module.nix b/nixos/attestation-server/module.nix
@@ -137,13 +137,38 @@ in
         SuccessExitStatus = [ 143 ];
 
         DynamicUser = true;
-        ProtectSystem = "strict";
-        ProtectHome = true;
+        StateDirectory = "attestation";
+        WorkingDirectory = "%S/attestation";
 
+        # See attestation.service in upstream repository
+        CapabilityBoundingSet = "";
+        IPAddressDeny = "any";
+        IPAddressAllow = "localhost";
+        LockPersonality = true;
         NoNewPrivileges = true;
         PrivateDevices = true;
-        StateDirectory = "attestation";
-        WorkingDirectory = "%S/attestation";
+        PrivateIPC = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        RestrictAddressFamilies = "AF_INET AF_INET6";
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged @resources"
+        ];
       };
     };