From 749fd94d191d9c293b232566f3fb494d693dc248 Mon Sep 17 00:00:00 2001
From: Felix Singer <felixsinger@posteo.net>
Date: Tue, 7 Oct 2025 02:18:32 +0200
Subject: [PATCH 1/5] nixos/uptime-kuma: Enable PrivateUsers hardening in
 service config

For documentation see
https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#PrivateUsers=

Signed-off-by: Felix Singer <felixsinger@posteo.net>
---
 nixos/modules/services/monitoring/uptime-kuma.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/nixos/modules/services/monitoring/uptime-kuma.nix b/nixos/modules/services/monitoring/uptime-kuma.nix
index c673a09832b0..85f96f9e9c7f 100644
--- a/nixos/modules/services/monitoring/uptime-kuma.nix
+++ b/nixos/modules/services/monitoring/uptime-kuma.nix
@@ -64,6 +64,7 @@ in
         PrivateDevices = true;
         PrivateMounts = true;
         PrivateTmp = true;
+        PrivateUsers = true;
         ProtectClock = true;
         ProtectControlGroups = true;
         ProtectHome = true;

From 606424d6092c201853e116c451999e6ceadb8476 Mon Sep 17 00:00:00 2001
From: Felix Singer <felixsinger@posteo.net>
Date: Tue, 7 Oct 2025 02:16:00 +0200
Subject: [PATCH 2/5] nixos/uptime-kuma: Set ProtectProc to `invisible`

For documentation see
https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#ProtectProc=

Signed-off-by: Felix Singer <felixsinger@posteo.net>
---
 nixos/modules/services/monitoring/uptime-kuma.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/modules/services/monitoring/uptime-kuma.nix b/nixos/modules/services/monitoring/uptime-kuma.nix
index 85f96f9e9c7f..25b72dc90e1a 100644
--- a/nixos/modules/services/monitoring/uptime-kuma.nix
+++ b/nixos/modules/services/monitoring/uptime-kuma.nix
@@ -72,7 +72,7 @@ in
         ProtectKernelLogs = true;
         ProtectKernelModules = true;
         ProtectKernelTunables = true;
-        ProtectProc = "noaccess";
+        ProtectProc = "invisible";
         ProtectSystem = "strict";
         RemoveIPC = true;
         RestrictAddressFamilies = [

From 18af20e2b2d499f8e1e77b078c62458152455482 Mon Sep 17 00:00:00 2001
From: Felix Singer <felixsinger@posteo.net>
Date: Tue, 7 Oct 2025 02:16:50 +0200
Subject: [PATCH 3/5] nixos/uptime-kuma: Set ProtectControlGroups to `strict`

For documentation see
https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#ProtectControlGroups=

Signed-off-by: Felix Singer <felixsinger@posteo.net>
---
 nixos/modules/services/monitoring/uptime-kuma.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/modules/services/monitoring/uptime-kuma.nix b/nixos/modules/services/monitoring/uptime-kuma.nix
index 25b72dc90e1a..a5da7e471552 100644
--- a/nixos/modules/services/monitoring/uptime-kuma.nix
+++ b/nixos/modules/services/monitoring/uptime-kuma.nix
@@ -66,7 +66,7 @@ in
         PrivateTmp = true;
         PrivateUsers = true;
         ProtectClock = true;
-        ProtectControlGroups = true;
+        ProtectControlGroups = "strict";
         ProtectHome = true;
         ProtectHostname = true;
         ProtectKernelLogs = true;

From 7b791e1de7e3331d331d3e4b4c86075a8c51e080 Mon Sep 17 00:00:00 2001
From: Felix Singer <felixsinger@posteo.net>
Date: Tue, 7 Oct 2025 02:18:22 +0200
Subject: [PATCH 4/5] nixos/uptime-kuma: Enable MountAPIVFS hardening in
 service config

This setting is already implied by others, but add it for completeness
as well. For documentation see
https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#MountAPIVFS=

Signed-off-by: Felix Singer <felixsinger@posteo.net>
---
 nixos/modules/services/monitoring/uptime-kuma.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/nixos/modules/services/monitoring/uptime-kuma.nix b/nixos/modules/services/monitoring/uptime-kuma.nix
index a5da7e471552..5d75d270967b 100644
--- a/nixos/modules/services/monitoring/uptime-kuma.nix
+++ b/nixos/modules/services/monitoring/uptime-kuma.nix
@@ -60,6 +60,7 @@ in
         CapabilityBoundingSet = "";
         LockPersonality = true;
         MemoryDenyWriteExecute = false; # enabling it breaks execution
+        MountAPIVFS = true;
         NoNewPrivileges = true;
         PrivateDevices = true;
         PrivateMounts = true;

From d06389e317a02ce6ebe75459ef18dd11eee25df8 Mon Sep 17 00:00:00 2001
From: Felix Singer <felixsinger@posteo.net>
Date: Tue, 7 Oct 2025 02:20:32 +0200
Subject: [PATCH 5/5] nixos/uptime-kuma: Ensure proper permissions for state
 directory

Signed-off-by: Felix Singer <felixsinger@posteo.net>
---
 nixos/modules/services/monitoring/uptime-kuma.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/nixos/modules/services/monitoring/uptime-kuma.nix b/nixos/modules/services/monitoring/uptime-kuma.nix
index 5d75d270967b..cab1e989c14e 100644
--- a/nixos/modules/services/monitoring/uptime-kuma.nix
+++ b/nixos/modules/services/monitoring/uptime-kuma.nix
@@ -53,6 +53,7 @@ in
       serviceConfig = {
         Type = "simple";
         StateDirectory = "uptime-kuma";
+        StateDirectoryMode = "750";
         DynamicUser = true;
         ExecStart = "${cfg.package}/bin/uptime-kuma-server";
         Restart = "on-failure";