From e673eca2bef0d6259d7ba70a4e1e66ad5fec7056 Mon Sep 17 00:00:00 2001
From: liberodark <liberodark@gmail.com>
Date: Wed, 28 May 2025 10:56:12 +0200
Subject: [PATCH] nixos/glpi-agent: add hardening

---
 .../services/monitoring/glpi-agent.nix        | 59 +++++++++++++++----
 1 file changed, 48 insertions(+), 11 deletions(-)

diff --git a/nixos/modules/services/monitoring/glpi-agent.nix b/nixos/modules/services/monitoring/glpi-agent.nix
index 78c4d85a16e5..63d435a503ac 100644
--- a/nixos/modules/services/monitoring/glpi-agent.nix
+++ b/nixos/modules/services/monitoring/glpi-agent.nix
@@ -77,24 +77,61 @@ in
       }
     ];
 
-    systemd.tmpfiles.settings."10-glpi-agent" = {
-      ${cfg.stateDir} = {
-        d = {
-          mode = "0755";
-          user = "root";
-          group = "root";
-        };
-      };
-    };
-
     systemd.services.glpi-agent = {
       description = "GLPI Agent";
       wantedBy = [ "multi-user.target" ];
       after = [ "network.target" ];
 
       serviceConfig = {
-        ExecStart = "${lib.getExe cfg.package} --conf-file ${configFile} --vardir ${cfg.stateDir} --daemon --no-fork";
+        ExecStart = lib.escapeShellArgs [
+          "${lib.getExe cfg.package}"
+          "--conf-file"
+          "${configFile}"
+          "--vardir"
+          "${cfg.stateDir}"
+          "--daemon"
+          "--no-fork"
+        ];
+
+        DynamicUser = true;
+        StateDirectory = "glpi-agent";
+        CapabilityBoundingSet = [ "CAP_SYS_ADMIN" ];
+        AmbientCapabilities = [ "CAP_SYS_ADMIN" ];
+
+        LimitCORE = 0;
+        LimitNOFILE = 65535;
+        LockPersonality = true;
+        MemorySwapMax = 0;
+        MemoryZSwapMax = 0;
+        PrivateTmp = true;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
         Restart = "on-failure";
+        RestartSec = "10s";
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_UNIX"
+          "AF_NETLINK"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "@resources"
+          "~@privileged"
+        ];
+        NoNewPrivileges = true;
+        UMask = "0077";
       };
     };
   };