From ef19fcf725eb3aa97289a91e3eb76e1c41a5a13f Mon Sep 17 00:00:00 2001
From: Defelo <mail@defelo.de>
Date: Tue, 4 Mar 2025 22:12:09 +0100
Subject: [PATCH] nixos/zipline: improve systemd hardening

---
 nixos/modules/services/web-apps/zipline.nix | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/nixos/modules/services/web-apps/zipline.nix b/nixos/modules/services/web-apps/zipline.nix
index b8c80b273ec8..86cb3a1d7e81 100644
--- a/nixos/modules/services/web-apps/zipline.nix
+++ b/nixos/modules/services/web-apps/zipline.nix
@@ -107,9 +107,11 @@ in
         ExecStart = lib.getExe cfg.package;
 
         # Hardening
+        AmbientCapabilities = "";
         CapabilityBoundingSet = [ "" ];
-        DeviceAllow = [ "" ];
+        DevicePolicy = "closed";
         LockPersonality = true;
+        NoNewPrivileges = true;
         PrivateDevices = true;
         PrivateTmp = true;
         PrivateUsers = true;
@@ -123,15 +125,18 @@ in
         ProtectKernelTunables = true;
         ProtectProc = "invisible";
         ProtectSystem = "strict";
-        RestrictAddressFamilies = [
-          "AF_INET"
-          "AF_INET6"
-          "AF_UNIX"
-        ];
+        RemoveIPC = true;
+        RestrictAddressFamilies = [ "AF_INET AF_INET6 AF_UNIX AF_NETLINK" ];
         RestrictNamespaces = true;
         RestrictRealtime = true;
         RestrictSUIDSGID = true;
         SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged"
+          "~@resources"
+        ];
+        UMask = "0077";
       };
     };
   };