feat(kafka): add systemd hardening for kafka service

2026-03-22 00:22:56 +00:00 · 2026-03-22 00:22:56 +00:00 · 3858202855
commit 3858202855
parent 6d97173bd1
1 changed files with 38 additions and 0 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -227,6 +227,44 @@
    config = config.sops.templates."kafka-config.toml".path;
  };

+  # Hardening for kafka service
+  systemd.services.kafka.serviceConfig = {
+    # Capability bounds
+    CapabilityBoundingSet = [ "" ];
+    AmbientCapabilities = [ "" ];
+
+    # Filesystem
+    ProtectSystem = "strict";
+    ProtectHome = true;
+    ReadWritePaths = [ "/var/lib/kafka" ];
+    PrivateTmp = true;
+
+    # Network
+    PrivateDevices = true;
+    RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
+
+    # Process isolation
+    ProtectProc = "invisible";
+    ProcSubset = "pid";
+    NoNewPrivileges = true;
+    ProtectClock = true;
+    ProtectHostname = true;
+
+    # System call filtering
+    SystemCallFilter = [ "@system-service" "~@privileged" ];
+    SystemCallArchitectures = "native";
+
+    # Memory
+    MemoryDenyWriteExecute = true;
+    RestrictRealtime = true;
+    RestrictSUIDSGID = true;
+
+    # Resource limits
+    RestrictNamespaces = true;
+    LockPersonality = true;
+    RemoveIPC = true;
+  };
+
  # === Vaultwarden ===
  myModules.vaultwarden = {
    enable = true;