From b947e892d0473e03db3949c2bf77b213d4f9ecf4 Mon Sep 17 00:00:00 2001
From: confor <confor@iru.cl>
Date: Sun, 28 Jun 2026 23:40:15 -0400
Subject: [PATCH] feat(packaging): add systemd security hardening to service

---
 vikunja.service | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/vikunja.service b/vikunja.service
index 206dd41fc..e5929ea80 100644
--- a/vikunja.service
+++ b/vikunja.service
@@ -14,6 +14,34 @@ Type=simple
 WorkingDirectory=/opt/vikunja
 ExecStart=/usr/local/bin/vikunja
 Restart=always
+
+# Hardening
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectHome=yes
+ProtectProc=invisible
+ProcSubset=pid
+UMask=0077
+
+CapabilityBoundingSet=
+AmbientCapabilities=
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+ProtectClock=yes
+ProtectHostname=yes
+PrivateDevices=yes
+RestrictNamespaces=yes
+RestrictSUIDSGID=yes
+RestrictRealtime=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+
 # If you want to bind Vikunja to a port below 1024 uncomment
 # the two values below
 ###