feat(kafka): add systemd hardening for kafka service

configuration.nix

@@ -227,6 +227,44 @@
     config = config.sops.templates."kafka-config.toml".path;
   };
 
+  # Hardening for kafka service
+  systemd.services.kafka.serviceConfig = {
+    # Capability bounds
+    CapabilityBoundingSet = [ "" ];
+    AmbientCapabilities = [ "" ];
+
+    # Filesystem
+    ProtectSystem = "strict";
+    ProtectHome = true;
+    ReadWritePaths = [ "/var/lib/kafka" ];
+    PrivateTmp = true;
+
+    # Network
+    PrivateDevices = true;
+    RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
+
+    # Process isolation
+    ProtectProc = "invisible";
+    ProcSubset = "pid";
+    NoNewPrivileges = true;
+    ProtectClock = true;
+    ProtectHostname = true;
+
+    # System call filtering
+    SystemCallFilter = [ "@system-service" "~@privileged" ];
+    SystemCallArchitectures = "native";
+
+    # Memory
+    MemoryDenyWriteExecute = true;
+    RestrictRealtime = true;
+    RestrictSUIDSGID = true;
+
+    # Resource limits
+    RestrictNamespaces = true;
+    LockPersonality = true;
+    RemoveIPC = true;
+  };
+
   # === Vaultwarden ===
   myModules.vaultwarden = {
     enable = true;