From d1aee7b41c9642d796071df3d898d2c008354c3e Mon Sep 17 00:00:00 2001
From: Tommy <contact@tommytran.io>
Date: Fri, 8 Sep 2023 15:04:33 -0700
Subject: [PATCH] Certbot hardening

---
 README.md                                     |  3 ++-
 .../system/certbot.service.d/override.conf    | 26 +++++++++++++++++++
 2 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100644 etc/systemd/system/certbot.service.d/override.conf

diff --git a/README.md b/README.md
index 1ca7d6e..997d747 100644
--- a/README.md
+++ b/README.md
@@ -5,10 +5,11 @@ This configuration does not include some hardening configurations, as those are
 
 **Notes**:
 - snap ufw blocks Docker by default. ArcticFoxes's Matrix server uses .deb ufw instead.
+- Use the .deb certbot package so that you can apply systemd hardening.
 - A lot of these configuration files use ArcticFoxes's domain. If you are adopting this to your own system, make sure that you replace them.
 - The Certbot-OCSP-Fetcher script can be found [here](https://github.com/GrapheneOS/infrastructure/blob/main/certbot-ocsp-fetcher)
 - You need to create a `postgres-socket` and add the `postgres` and `matrix-synapse` user to it.
 - You need to create a `matrix-synapse-socket` and add the `matrix-synapse` and `nginx` user to it.
 - Systemd overrides for NGINX and SSHD services are based on [GrapheneOS's configurations](https://github.com/GrapheneOS/infrastructure/tree/main/systemd/system).
 - Systemd override for Synapse is based on Arch Linux's [matrix-synapse](https://gitlab.archlinux.org/archlinux/packaging/packages/matrix-synapse/-/blob/main/override-hardened.conf?ref_type=heads) package.
-- The repolists of PostgreSQL and Docker have been modified so that they read GPG keys from `/usr/share/keyring` by default. Make sure that when you follow upstream's documentation on adding their GPG keys, you adjust the location. For PostgreSQL's GPG key, run `curl https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /usr/share/keyrings/postgresql-debian-repo.gpg >/dev/null`
+- The repolists of PostgreSQL and Docker have been modified so that they read GPG keys from `/usr/share/keyring` by default. Make sure that when you follow upstream's documentation on adding their GPG keys, you adjust the location. For PostgreSQL's GPG key, run `curl https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /usr/share/keyrings/postgresql-debian-repo.gpg >/dev/null`
\ No newline at end of file
diff --git a/etc/systemd/system/certbot.service.d/override.conf b/etc/systemd/system/certbot.service.d/override.conf
new file mode 100644
index 0000000..495243a
--- /dev/null
+++ b/etc/systemd/system/certbot.service.d/override.conf
@@ -0,0 +1,26 @@
+[Service]
+CapabilityBoundingSet=
+CPUSchedulingPolicy=batch
+LockPersonality=true
+MemoryDenyWriteExecute=true
+PrivateDevices=true
+PrivateIPC=true
+PrivateUsers=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=read-only
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=/etc/letsencrypt /var/lib/letsencrypt /var/log/letsencrypt /var/cache/certbot-ocsp-fetcher
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@resources @obsolete
\ No newline at end of file