From e728d7ae4bb6394bbd19eec52b7358526a44c414 Mon Sep 17 00:00:00 2001
From: liberodark <liberodark@gmail.com>
Date: Tue, 29 Jul 2025 16:54:53 +0200
Subject: [PATCH] nixos/ntpd-rs: hardening

(cherry picked from commit a9cd681b8df39ca567cada7ff50d44f7b3fb225a)
---
 .../services/networking/ntp/ntpd-rs.nix       | 81 +++++++++++++++++++
 1 file changed, 81 insertions(+)

diff --git a/nixos/modules/services/networking/ntp/ntpd-rs.nix b/nixos/modules/services/networking/ntp/ntpd-rs.nix
index 14287ded9abf..358478b2e999 100644
--- a/nixos/modules/services/networking/ntp/ntpd-rs.nix
+++ b/nixos/modules/services/networking/ntp/ntpd-rs.nix
@@ -79,6 +79,49 @@ in
           ""
           "${lib.makeBinPath [ cfg.package ]}/ntp-daemon --config=${configFile}"
         ];
+
+        CapabilityBoundingSet = [
+          "CAP_SYS_TIME"
+          "CAP_NET_BIND_SERVICE"
+        ];
+        AmbientCapabilities = [
+          "CAP_SYS_TIME"
+          "CAP_NET_BIND_SERVICE"
+        ];
+        LimitCORE = 0;
+        LimitNOFILE = 65535;
+        LockPersonality = true;
+        MemorySwapMax = 0;
+        MemoryZSwapMax = 0;
+        PrivateTmp = true;
+        ProcSubset = "pid";
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        Restart = "on-failure";
+        RestartSec = "10s";
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_UNIX"
+          "AF_NETLINK"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "@resources"
+          "@network-io"
+          "@clock"
+        ];
+        NoNewPrivileges = true;
+        UMask = "0077";
       };
     };
 
@@ -92,6 +135,44 @@ in
           ""
           "${lib.makeBinPath [ cfg.package ]}/ntp-metrics-exporter --config=${configFile}"
         ];
+
+        CapabilityBoundingSet = [ ];
+        LimitCORE = 0;
+        LimitNOFILE = 65535;
+        LockPersonality = true;
+        MemorySwapMax = 0;
+        MemoryZSwapMax = 0;
+        PrivateTmp = true;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        PrivateDevices = true;
+        RestrictSUIDSGID = true;
+        RemoveIPC = true;
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_UNIX"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "@network-io"
+          "~@privileged"
+          "~@resources"
+          "~@mount"
+        ];
+        NoNewPrivileges = true;
+        UMask = "0077";
       };
     };
   };