grimm-nixos-laptop/hardening/systemd/default.nix

{ lib, config, ... }:
let
  inherit (lib) mkDefault types mkIf;
  eq = a: b: a == b;
  noPred =
    preds: x:
    if preds == [ ] then
      true
    else if (lib.head preds) x then
      false
    else
      noPred (lib.tail preds) x;
in
{
  imports = [
    ./NetworkManager.nix
    ./wpa_supplicant.nix
    ./auditd.nix
    ./acpid.nix
    # ./cups.nix
    ./bluetooth.nix
    ./tty.nix
    ./ask-password.nix
    ./nix-daemon.nix

    ./global
  ];

  options.systemd.services = lib.mkOption {
    type =
      let
        osConfig = config;
      in
      types.attrsOf (
        lib.types.submodule (
          { config, name, ... }:
          {
            config.serviceConfig =
              let
                shouldMakeIntrusive = (
                  noPred [ (lib.hasPrefix "systemd-") (eq "user@") (eq "user-runtime-dir@") (eq "nix-daemon") ] name
                );
              in
              mkIf (osConfig.specialisation != { }) (
                {
                  ProtectHome = mkDefault true;
                  # LockPersonality = mkIf shouldMakeIntrusive (mkDefault true); # UH OH THIS ONE IS ROUGH!
                }
                // (lib.optionalAttrs shouldMakeIntrusive {
                  PrivateTmp = mkDefault true;
                  # NoNewPrivileges = mkIf shouldMakeIntrusive (mkDefault true); # TODO: this one is quite radical
                  # SystemCallFilter = mkIf shouldMakeIntrusive (mkDefault "@system-service");
                  ProtectKernelLogs = mkIf shouldMakeIntrusive (mkDefault true);
                  # SystemCallArchitectures = mkIf shouldMakeIntrusive (mkDefault "native");
                })
              );
          }
        )
      );
  };

  config = mkIf (config.specialisation != { }) {

    systemd.services = {
      "user-runtime-dir@".serviceConfig.ProtectHome = false;
      "user@".serviceConfig.ProtectHome = false;
      systemd-homed.serviceConfig.ProtectHome = false;
      systemd-homed-activate.serviceConfig.ProtectHome = false;
      sshd.serviceConfig.ProtectHome = false;
      display-manager.serviceConfig.ProtectHome = "read-only";
      dbus-broker.serviceConfig.ProtectHome = "read-only";
      systemd-logind.serviceConfig.ProtectHome = false;

      nix-daemon.serviceConfig.ProtectHome = false;

      zfs-mount.serviceConfig.PrivateTmp = false;
      kmod-static-nodes.serviceConfig.PrivateTmp = false;
      mount-pstore.serviceConfig.PrivateTmp = false;
      # todo: tpm things

      #polkit.serviceConfig.NoNewPrivileges = false;
      #"getty@".serviceConfig.NoNewPrivileges = false;
      #"user@".serviceConfig.NoNewPrivileges = false;

      # todo: dbus?

      auditd.serviceConfig.ProtectKernelLogs = false;
      audit.serviceConfig.ProtectKernelLogs = false;

      "getty@".serviceConfig.SystemCallFilter = "";
      display-manager.serviceConfig.SystemCallFilter = "";
      sshd.serviceConfig.SystemCallFilter = "";
      rtkit-daemon.serviceConfig.SystemCallFilter = "";
    };
  };
}