From 5420ae11ea6a0925e2b6a9e1155a96531e789ab6 Mon Sep 17 00:00:00 2001
From: Alex Martens <alex@thinglab.org>
Date: Wed, 14 May 2025 17:32:05 -0700
Subject: [PATCH] nixos/minio: harden service

---
 nixos/modules/services/web-servers/minio.nix | 38 ++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/nixos/modules/services/web-servers/minio.nix b/nixos/modules/services/web-servers/minio.nix
index 1f1a595f8700..ec31d06a3924 100644
--- a/nixos/modules/services/web-servers/minio.nix
+++ b/nixos/modules/services/web-servers/minio.nix
@@ -135,6 +135,44 @@ in
                 (legacyCredentials cfg)
               else
                 null;
+
+            # hardening
+            DevicePolicy = "closed";
+            CapabilityBoundingSet = "";
+            RestrictAddressFamilies = [
+              "AF_INET"
+              "AF_INET6"
+              "AF_NETLINK"
+              "AF_UNIX"
+            ];
+            DeviceAllow = "";
+            NoNewPrivileges = true;
+            PrivateDevices = true;
+            PrivateMounts = true;
+            PrivateTmp = true;
+            PrivateUsers = true;
+            ProtectClock = true;
+            ProtectControlGroups = true;
+            ProtectHome = true;
+            ProtectKernelLogs = true;
+            ProtectKernelModules = true;
+            ProtectKernelTunables = true;
+            MemoryDenyWriteExecute = true;
+            LockPersonality = true;
+            RemoveIPC = true;
+            RestrictNamespaces = true;
+            RestrictRealtime = true;
+            RestrictSUIDSGID = true;
+            SystemCallArchitectures = "native";
+            SystemCallFilter = [
+              "@system-service"
+              "~@privileged"
+            ];
+            ProtectProc = "invisible";
+            ProtectHostname = true;
+            UMask = "0077";
+            # minio opens /proc/mounts on startup
+            ProcSubset = "all";
           };
           environment = {
             MINIO_REGION = "${cfg.region}";