From c7968cf14075c62330b09bfa61e9d8a93da3b984 Mon Sep 17 00:00:00 2001
From: isabel <isabel@isabelroses.com>
Date: Thu, 13 Mar 2025 15:30:32 +0000
Subject: [PATCH] nixos/wakapi: harden systemd service

when using `systemd-analyze security wakapi.service` we went from a 5.9
to a 3.
---
 nixos/modules/services/web-apps/wakapi.nix | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/services/web-apps/wakapi.nix b/nixos/modules/services/web-apps/wakapi.nix
index 6067fd35b790..f833c0c0e45f 100644
--- a/nixos/modules/services/web-apps/wakapi.nix
+++ b/nixos/modules/services/web-apps/wakapi.nix
@@ -159,18 +159,25 @@ in
         Group = config.users.users.wakapi.group;
 
         DynamicUser = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        PrivateDevices = true;
         ProtectHome = true;
         ProtectHostname = true;
+        ProtectClock = true;
         ProtectKernelLogs = true;
         ProtectKernelModules = true;
         ProtectKernelTunables = true;
+        ProtectControlGroups = true;
+        NoNewPrivileges = true;
         ProtectProc = "invisible";
-        ProtectSystem = "strict";
+        ProtectSystem = "full";
         RestrictAddressFamilies = [
           "AF_INET"
           "AF_INET6"
           "AF_UNIX"
         ];
+        CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
         RestrictNamespaces = true;
         RestrictRealtime = true;
         RestrictSUIDSGID = true;