From 8207bfe50a8fe480eebdef146eb1042fc06e3ece Mon Sep 17 00:00:00 2001
From: Felix Singer <felixsinger@posteo.net>
Date: Mon, 2 Dec 2024 15:26:42 +0000
Subject: [PATCH 1/2] nixos/uptime-kuma: Order lockdown settings
 lexicographically

Signed-off-by: Felix Singer <felixsinger@posteo.net>
---
 .../services/monitoring/uptime-kuma.nix       | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/nixos/modules/services/monitoring/uptime-kuma.nix b/nixos/modules/services/monitoring/uptime-kuma.nix
index 1d7ff10227a9a..00e13871bb3b6 100644
--- a/nixos/modules/services/monitoring/uptime-kuma.nix
+++ b/nixos/modules/services/monitoring/uptime-kuma.nix
@@ -51,21 +51,21 @@ in
         DynamicUser = true;
         ExecStart = "${cfg.package}/bin/uptime-kuma-server";
         Restart = "on-failure";
-        ProtectHome = true;
-        ProtectSystem = "strict";
-        PrivateTmp = true;
+        NoNewPrivileges = true;
         PrivateDevices = true;
-        ProtectHostname = true;
+        PrivateMounts = true;
+        PrivateTmp = true;
         ProtectClock = true;
-        ProtectKernelTunables = true;
-        ProtectKernelModules = true;
-        ProtectKernelLogs = true;
         ProtectControlGroups = true;
-        NoNewPrivileges = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
+        RemoveIPC = true;
         RestrictRealtime = true;
         RestrictSUIDSGID = true;
-        RemoveIPC = true;
-        PrivateMounts = true;
       };
     };
   };

From 4a661643978dffe7da3e29fd4681e90379a119c2 Mon Sep 17 00:00:00 2001
From: Felix Singer <felixsinger@posteo.net>
Date: Mon, 2 Dec 2024 15:58:16 +0000
Subject: [PATCH 2/2] nixos/uptime-kuma: Add additional lockdown settings to
 systemd unit

Signed-off-by: Felix Singer <felixsinger@posteo.net>
---
 nixos/modules/services/monitoring/uptime-kuma.nix | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/nixos/modules/services/monitoring/uptime-kuma.nix b/nixos/modules/services/monitoring/uptime-kuma.nix
index 00e13871bb3b6..0dd636fe1cc32 100644
--- a/nixos/modules/services/monitoring/uptime-kuma.nix
+++ b/nixos/modules/services/monitoring/uptime-kuma.nix
@@ -51,6 +51,10 @@ in
         DynamicUser = true;
         ExecStart = "${cfg.package}/bin/uptime-kuma-server";
         Restart = "on-failure";
+        AmbientCapabilities = "";
+        CapabilityBoundingSet = "";
+        LockPersonality = true;
+        MemoryDenyWriteExecute = false; # enabling it breaks execution
         NoNewPrivileges = true;
         PrivateDevices = true;
         PrivateMounts = true;
@@ -62,10 +66,15 @@ in
         ProtectKernelLogs = true;
         ProtectKernelModules = true;
         ProtectKernelTunables = true;
+        ProtectProc = "noaccess";
         ProtectSystem = "strict";
         RemoveIPC = true;
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ];
+        RestrictNamespaces = true;
         RestrictRealtime = true;
         RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        UMask = 027;
       };
     };
   };