systemd: protect against services finding another other process

Author: theorderingmachine

CHANGELOG.md

@@ -6,6 +6,7 @@ versioning is done in a continuous fashion without worries of breaking changes.
 
 ## patches
 
+- `systemd`: protect against services finding another other process 2026-04-04
 - `nix`: import language servers and formatted linter from upstream 2026-04-04
 - `vhs`: record terminal demos with tapes that share in caring gifs 2026-03-30
 - `pnpm`: install the performant node package manager for packaging 2026-03-29

machines/tom/services/soft-serve/default.nix

@@ -30,8 +30,23 @@ in
   systemd.services.soft-serve.serviceConfig = {
     DynamicUser = lib.mkForce false;
     ExecStart = lib.mkForce "${lib.getExe cfg.package} serve --sync-hooks";
+    Group = "git";
+    LockPersonality = true;
+    NoNewPrivileges = true;
+    PrivateDevices = true;
+    PrivateTmp = true;
+    ProtectClock = true;
+    ProtectControlGroups = true;
+    ProtectHome = true;
+    ProtectHostname = true;
+    ProtectKernelLogs = true;
+    ProtectKernelModules = true;
+    ProtectKernelTunables = true;
+    ProtectSystem = "strict";
+    RestrictRealtime = true;
+    RestrictSUIDSGID = true;
+    SystemCallArchitectures = "native";
     UMask = lib.mkForce "0022";
     User = "git";
-    Group = "git";
   };
 }

machines/tom/systemd/services/blog/default.nix

@@ -20,10 +20,25 @@
       serviceConfig = {
         CacheDirectory = "blog";
         ExecStart = "${pkgs.nix}/bin/nix run github:zimeg/blog --refresh";
+        Group = "blog";
+        LockPersonality = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
         Restart = "always";
-        RestartSec = 2;
+        RestartSec = 120;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
         User = "blog";
-        Group = "blog";
       };
     };
     "blog:preview" = {
@@ -41,8 +56,23 @@
       serviceConfig = {
         CacheDirectory = "blog";
         ExecStart = "${pkgs.nix}/bin/nix run github:zimeg/blog/dev --refresh -- --port 3000";
-        User = "blog";
         Group = "blog";
+        LockPersonality = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        User = "blog";
       };
     };
   };

machines/tom/systemd/services/endpoints/default.nix

@@ -21,10 +21,25 @@
       serviceConfig = {
         CacheDirectory = "endpoints";
         ExecStart = "${pkgs.nix}/bin/nix run github:zimeg/endpoints --refresh";
+        Group = "endpoints";
+        LockPersonality = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
         Restart = "always";
-        RestartSec = 2;
+        RestartSec = 120;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
         User = "endpoints";
-        Group = "endpoints";
       };
     };
   };

machines/tom/systemd/services/quintus/default.nix

@@ -20,11 +20,26 @@
       serviceConfig = {
         AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
         CacheDirectory = "quintus";
+        CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
         ExecStart = "${pkgs.nix}/bin/nix run github:zimeg/quintus --refresh";
+        Group = "quintus";
+        LockPersonality = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
         Restart = "always";
-        RestartSec = 2;
+        RestartSec = 120;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
         User = "quintus";
-        Group = "quintus";
       };
     };
   };

machines/tom/systemd/services/slack/snaek/default.nix

@@ -22,9 +22,24 @@
         CacheDirectory = "snaek";
         EnvironmentFile = config.sops.secrets."slack/snaek".path;
         ExecStart = "${pkgs.nix}/bin/nix run github:zimeg/slacks/snaek --refresh";
+        LockPersonality = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
         Restart = "always";
         RestartSec = 120;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
         StateDirectory = "slack/snaek";
+        SystemCallArchitectures = "native";
         User = "snaek";
         WorkingDirectory = "/var/lib/slack/snaek";
       };

machines/tom/systemd/services/slack/tails/default.nix

@@ -20,9 +20,24 @@
         CacheDirectory = "tails";
         EnvironmentFile = config.sops.secrets."slack/tails".path;
         ExecStart = "${pkgs.nix}/bin/nix run github:zimeg/slacks/tails --refresh";
+        LockPersonality = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
         Restart = "always";
         RestartSec = 120;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
         StateDirectory = "slack/tails";
+        SystemCallArchitectures = "native";
         User = "tails";
         WorkingDirectory = "/var/lib/slack/tails";
       };

machines/tom/systemd/services/slack/todos/default.nix

@@ -19,9 +19,24 @@
         CacheDirectory = "todos";
         EnvironmentFile = config.sops.secrets."slack/todos".path;
         ExecStart = "${pkgs.nix}/bin/nix run github:zimeg/slacks/todos#server --refresh";
+        LockPersonality = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
         Restart = "always";
         RestartSec = 120;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
         StateDirectory = "slack/todos";
+        SystemCallArchitectures = "native";
         User = "todos";
         WorkingDirectory = "/var/lib/slack/todos";
       };