nixos/minio: harden service

2025-05-14 17:32:05 -07:00 · 2025-05-14 17:32:05 -07:00 · 5420ae11ea
commit 5420ae11ea
parent 8f5972c5de
1 changed files with 38 additions and 0 deletions
--- a/nixos/modules/services/web-servers/minio.nix
+++ b/nixos/modules/services/web-servers/minio.nix
@ -135,6 +135,44 @@ in
                (legacyCredentials cfg)
              else
                null;
+
+            # hardening
+            DevicePolicy = "closed";
+            CapabilityBoundingSet = "";
+            RestrictAddressFamilies = [
+              "AF_INET"
+              "AF_INET6"
+              "AF_NETLINK"
+              "AF_UNIX"
+            ];
+            DeviceAllow = "";
+            NoNewPrivileges = true;
+            PrivateDevices = true;
+            PrivateMounts = true;
+            PrivateTmp = true;
+            PrivateUsers = true;
+            ProtectClock = true;
+            ProtectControlGroups = true;
+            ProtectHome = true;
+            ProtectKernelLogs = true;
+            ProtectKernelModules = true;
+            ProtectKernelTunables = true;
+            MemoryDenyWriteExecute = true;
+            LockPersonality = true;
+            RemoveIPC = true;
+            RestrictNamespaces = true;
+            RestrictRealtime = true;
+            RestrictSUIDSGID = true;
+            SystemCallArchitectures = "native";
+            SystemCallFilter = [
+              "@system-service"
+              "~@privileged"
+            ];
+            ProtectProc = "invisible";
+            ProtectHostname = true;
+            UMask = "0077";
+            # minio opens /proc/mounts on startup
+            ProcSubset = "all";
          };
          environment = {
            MINIO_REGION = "${cfg.region}";