From 14f87f5aee52753ada73ffcee8ab1f110e25af4c Mon Sep 17 00:00:00 2001
From: Fabian Koller <anokfireball@posteo.de>
Date: Tue, 29 Dec 2020 23:30:59 +0100
Subject: [PATCH] Harden systemd service files, drop perms further

---
 ansible/tasks/main.yml | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/ansible/tasks/main.yml b/ansible/tasks/main.yml
index 4a243f322..f0fd84d67 100644
--- a/ansible/tasks/main.yml
+++ b/ansible/tasks/main.yml
@@ -310,7 +310,7 @@
 - name: configure systemd services
   ini_file:
     path: "{{ paperlessng_directory }}/scripts/{{ item[0] }}"
-    section: "{{ item[1].section }}"
+    section: "Service"
     option: "{{ item[1].option  }}"
     value: "{{ item[1].value }}"
   with_nested:
@@ -320,21 +320,35 @@
         paperless-webserver.service,
       ]
     - [
+        # https://www.freedesktop.org/software/systemd/man/systemd.exec.html
         {
-          section: "Service",
           option: "User",
           value: "{{ paperlessng_system_user }}",
         },
         {
-          section: "Service",
           option: "Group",
           value: "{{ paperlessng_system_group }}",
         },
         {
-          section: "Service",
           option: "WorkingDirectory",
           value: "{{ paperlessng_directory }}/src",
         },
+        {
+          option: "ProtectSystem",
+          value: "full",
+        },
+        {
+          option: "NoNewPrivileges",
+          value: "true",
+        },
+        {
+          option: "PrivateUsers",
+          value: "true",
+        },
+        {
+          option: "PrivateDevices",
+          value: "true",
+        }
       ]
 
 - name: configure paperless-consumer service