1 files changed, 27 insertions, 14 deletions

diff --git a/app-admin/vaultwarden/files/vaultwarden.service b/app-admin/vaultwarden/files/vaultwarden.service
index 12ba0d4..4b6cbfc 100644
--- a/app-admin/vaultwarden/files/vaultwarden.service
+++ b/app-admin/vaultwarden/files/vaultwarden.service
@@ -4,34 +4,47 @@ Documentation=https://github.com/dani-garcia/vaultwarden
 After=network.target mariadb.service mysqld.service postgresql.service
 
 [Service]
+ExecStart=/usr/bin/vaultwarden
+WorkingDirectory=/var/lib/vaultwarden
 User=vaultwarden
 Group=vaultwarden
-Environment="WEB_VAULT_FOLDER=/usr/share/vaultwarden-web-vault/htdocs"
-EnvironmentFile=/etc/vaultwarden.env
-ExecStart=/usr/bin/vaultwarden
+
+# Allow vaultwarden to bind ports in the range of 0-1024
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+
+NoNewPrivileges=yes
 
 LimitNOFILE=1048576
-LimitNPROC=256
+UMask=0077
+LimitNPROC=64
 
+ProtectSystem=strict
+ProtectHome=true
+ReadWriteDirectories=/var/lib/vaultwarden
+PrivateUsers=yes
 PrivateTmp=true
 PrivateDevices=true
-ProtectHome=true
-ProtectSystem=strict
+ProtectHostname=yes
+ProtectClock=yes
 ProtectKernelTunables=yes
 ProtectKernelModules=yes
+ProtectKernelLogs=yes
 ProtectControlGroups=yes
-
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 RestrictNamespaces=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RemoveIPC=yes
 
-SystemCallArchitectures=native
 SystemCallFilter=@system-service
-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+SystemCallFilter=~@privileged @resources
+SystemCallArchitectures=native
 
-WorkingDirectory=/var/lib/vaultwarden
-ReadWriteDirectories=/var/lib/vaultwarden
-# Allow vaultwarden to bind ports in the range of 0-1024
-AmbientCapabilities=CAP_NET_BIND_SERVICE
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+Environment="WEB_VAULT_FOLDER=/usr/share/vaultwarden-web-vault/htdocs"
+EnvironmentFile=/etc/vaultwarden.env
 
 [Install]
 WantedBy=multi-user.target