[Unit]
Description=Snow scanner worker
After=network.target
After=snow-scanner.service
Requires=snow-scanner.service

[Service]
Type=simple
User=snow-scanner
Group=snow-scanner
EnvironmentFile=/etc/snow-scanner/worker.env

RemoveIPC=true
ProtectHome=true
NoNewPrivileges=true

PrivateTmp=false
ProtectSystem=strict
ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=true
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
MemoryDenyWriteExecute=true
LockPersonality=true
# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random to it,
# but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others.
# This is useful to turn off physical device access by the executed process
PrivateDevices=true
# allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom
DevicePolicy=closed
ProtectProc=invisible
ProtectClock=true
ProcSubset=pid
ProtectHostname=true
ProtectKernelLogs=true
# This will fail icmp pingers if set to true
PrivateUsers=false

SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete
SystemCallFilter=~@privileged @raw-io @reboot @resources @swap @keyring
SystemCallFilter=~@pkey @ipc

# to return when the system call filter configured with SystemCallFilter= is triggered, instead of terminating the process immediately.
SystemCallErrorNumber=EPERM

# See: https://www.opensourcerers.org/2022/04/25/optimizing-a-systemd-service-for-security/
# Run: systemd-analyze security snow-scanner
# Add this one for ports < 1024
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
#CapabilityBoundingSet=CAP_NET_RAW

SystemCallArchitectures=native

# Allow icmp
#AmbientCapabilities=CAP_NET_RAW

# Add this one for ports < 1024
#AmbientCapabilities=CAP_NET_BIND_SERVICE

# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random to it,
# but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others.
# This is useful to turn off physical device access by the executed process
PrivateDevices=true
# allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom
DevicePolicy=closed

# No devices (except clock: ProtectClock)
# See: https://github.com/systemd/systemd/issues/23185
DeviceAllow=

BindReadOnlyPaths=/usr/share/snow-scanner

ExecStart=/usr/bin/snow-scanner-worker
Restart=on-failure

LimitNOFILE=infinity

[Install]
WantedBy=multi-user.target