diff --git a/modules/services/server/matrix.nix b/modules/services/server/matrix.nix index 2b331f1..e6bce96 100644 --- a/modules/services/server/matrix.nix +++ b/modules/services/server/matrix.nix @@ -101,20 +101,61 @@ in { User = "mautrix-whatsapp"; Group = "mautrix-whatsapp"; Environment = "HOME=/var/lib/mautrix-whatsapp"; - PrivateTmp = true; + ReadWritePaths="/var/log/mautrix-whatsapp"; + NoNewPrivileges=true; + MemoryDenyWriteExecute=true; + PrivateDevices=true; + PrivateTmp=true; + ProtectHome=true; + ProtectSystem="strict"; + ProtectControlGroups=true; + RestrictSUIDSGID=true; + RestrictRealtime=true; + LockPersonality=true; + ProtectKernelLogs=true; + ProtectKernelTunables=true; + ProtectHostname=true; + ProtectKernelModules=true; + PrivateUsers=true; + ProtectClock=true; + SystemCallArchitectures="native"; + SystemCallErrorNumber="EPERM"; + SystemCallFilter="@system-service"; }; }; mautrix-signal = { description = "Matrix <-> Signal bridge"; wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "postgresql.service" "matrix-synapse.service" ]; + after = [ "network.target" "postgresql.service" "matrix-synapse.service" "signald.service" ]; requires = [ "postgresql.service" "matrix-synapse.service" "signald.service"]; script = "${pkgs.mautrix-signal}/bin/mautrix-signal -n --config ${config.age.secrets."services/matrix/mautrix-signal.yml".path}"; serviceConfig = { User = "mautrix-signal"; Group = "mautrix-signal"; - Environment = "HOME=/var/lib/mautrix-whatsapp"; - PrivateTmp = true; + Environment = "HOME=/var/lib/mautrix-signal"; + ReadWritePaths= [ + "/var/run/signald/signald.sock" + "/var/log/mautrix-signal" + ]; + NoNewPrivileges=true; + MemoryDenyWriteExecute=true; + PrivateDevices=true; + PrivateTmp=true; + ProtectHome=true; + ProtectSystem="strict"; + ProtectControlGroups=true; + RestrictSUIDSGID=true; + RestrictRealtime=true; + LockPersonality=true; + ProtectKernelLogs=true; + ProtectKernelTunables=true; + ProtectHostname=true; + ProtectKernelModules=true; + PrivateUsers=true; + ProtectClock=true; + SystemCallArchitectures="native"; + SystemCallErrorNumber="EPERM"; + SystemCallFilter="@system-service"; }; }; }; @@ -199,6 +240,8 @@ in { }; signald = { enable = true; + user = "mautrix-signal"; + group = "mautrix-signal"; }; };