From 871d05aec05808f96e84aef094e6d441f935d2c5 Mon Sep 17 00:00:00 2001
From: "Alexander \"Arav\" Andreev" <me@arav.top>
Date: Wed, 9 Mar 2022 23:13:04 +0400
Subject: [PATCH] Hardened systemd unit.

---
 init/systemd/dwelling-radio.service | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/init/systemd/dwelling-radio.service b/init/systemd/dwelling-radio.service
index 2decf13..8641ce0 100755
--- a/init/systemd/dwelling-radio.service
+++ b/init/systemd/dwelling-radio.service
@@ -4,9 +4,32 @@ After=network-online.target
 
 [Service]
 Type=simple
-Restart=on-failure
 User=dwradio
+Group=dwradio
 ExecStart=/usr/bin/dwelling-radio -conf /etc/dwelling/radio.yaml
+LogsDirectory=dwelling-radio
+RuntimeDirectory=dwelling-radio
+Restart=on-failure
+
+AmbientCapabilities=
+CapabilityBoundingSet=
+
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
 
 [Install]
 WantedBy=multi-user.target