Add protection features to service definition

Signed-off-by: Jacob Kiers <jacob@jacobkiers.net>

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+
+* Added protection features to example systemd service file
+
 ## [0.2.3] - 2022-12-29
 
 ### Added

systemd/newsletter2web.service

@@ -1,7 +1,42 @@
 [Unit]
 Description=Create newsletter feed
 
+After=network-online.target
+Wants=network-online.target
+
 [Service]
 Type=oneshot
-WorkingDirectory=/home/n2w
+WorkingDirectory=/home/n2w/n2w
 ExecStart=/home/n2w/build-feed.sh
+User=n2w
+
+# Security
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=strict
+SystemCallFilter=@system-service
+#SystemCallFilter=@basic-io @file-system @network-io mprotect
+CapabilityBoundingSet=
+NoNewPrivileges=yes
+ProtectProc=invisible
+RemoveIPC=yes
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=yes
+PrivateUsers=yes
+
+# ProtectHostname and ProcSubset=pid cannot go together
+# see: https://github.com/systemd/systemd/pull/22203
+# This is fixed in systemd v251
+#ProtectHostname=yes
+ProtectClock=yes
+ProtectKernalTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+ProcSubset=pid
+UMask=0077
+SystemCallArchitectures=native
+RestrictSUIDSGID=yes