wayneko/module.nix: extra hardening

modules/services/wayneko/module.nix

@@ -1,5 +1,4 @@
 {
-  config,
   lib,
   pkgs,
   ...
@@ -22,29 +21,38 @@ in {
       RestartSec = 1;
       TimeoutStopSec = 10;
 
+      CapabilityBoundingSet = [""];
+      DevicePolicy = "closed";
       LockPersonality = true;
       MemoryDenyWriteExecute = true;
       NoNewPrivileges = true;
-
-      PrivateTmp = true;
       PrivateDevices = true;
-      DevicePolicy = "closed";
       PrivateNetwork = true;
+      PrivateTmp = true;
+      PrivateUsers = true;
+      ProcSubset = "pid";
       ProtectClock = true;
       ProtectControlGroups = true;
       ProtectControlGroup = true;
+      ProtectHome = "true";
+      ProtectHostname = true;
       ProtectKernelLogs = true;
       ProtectKernelModules = true;
       ProtectKernelTunables = true;
+      ProtectProc = "invisible";
       ProtectSystem = "strict";
-      ProtectHome = "read-only";
-
       RestrictNamespaces = true;
       RestrictRealtime = true;
       RestrictRealTime = true;
       RestrictSUIDSGID = true;
 
-      SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap";
+      SystemCallArchitectures = ["native"];
+
+      SystemCallFilter = [
+        "@system-service"
+        "~@privileged"
+        "~@resources"
+      ];
     };
   };
 }