# Provide secure defaults for systemd services
#
# Good reads:
# https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04
# https://docs.arbitrary.ch/security/systemd.html
# https://www.freedesktop.org/software/systemd/man/systemd.exec.html

{
  DynamicUser = true;

  # This set of restrictions is mostly dervied from
  # - running `systemd-analyze security zkap-spending-service.service`
  # - Looking at the restrictions from the nixos nginx config.
  AmbientCapabilities = "";
  CapabilityBoundingSet = "";
  LockPersonality = true;
  MemoryDenyWriteExecute = true;
  NoNewPrivileges = true;
  PrivateDevices = true;
  PrivateMounts = true;
  PrivateNetwork = true;
  PrivateTmp = true;
  PrivateUsers = true;
  ProcSubset = "pid";
  ProtectClock = true;
  ProtectControlGroups = true;
  ProtectHome = true;
  ProtectHostname = true;
  ProtectKernelLogs = true;
  ProtectKernelModules = true;
  ProtectKernelTunables = true;
  ProtectProc = "invisible";
  ProtectSystem = "strict";
  RemoveIPC = true;
  RestrictAddressFamilies = "AF_UNIX";
  RestrictNamespaces = true;
  RestrictRealtime = true;
  RestrictSUIDSGID = true;
  SystemCallArchitectures = "native";
  # Lines starting with "~" are deny-list the others are allow-list
  # Since the first line is allow, that bounds the set of allowed syscalls
  # and the further lines restrict it.
  SystemCallFilter = [
    # From systemd.exec(5), @system-service is "A reasonable set of
    # system calls used by common system [...]"
    "@system-service"
    # This is from the nginx config, except that `@ipc` is not removed,
    # since twisted uses a self-pipe.
    "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid"
  ];
  Umask = "0077";
}