feat: extra systemd service hardening (#2197)

analyzer/install/systemd/libretime-analyzer.service

@@ -11,9 +11,11 @@ PrivateUsers=true
 ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
+ProtectHostname=true
 ProtectKernelLogs=true
 ProtectKernelModules=true
 ProtectKernelTunables=true
+ProtectProc=invisible
 ProtectSystem=full
 
 Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@

api/install/systemd/libretime-api.service

@@ -12,9 +12,11 @@ PrivateUsers=true
 ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
+ProtectHostname=true
 ProtectKernelLogs=true
 ProtectKernelModules=true
 ProtectKernelTunables=true
+ProtectProc=invisible
 ProtectSystem=full
 
 Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@

playout/install/systemd/libretime-liquidsoap.service

@@ -11,9 +11,11 @@ PrivateUsers=true
 ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
+ProtectHostname=true
 ProtectKernelLogs=true
 ProtectKernelModules=true
 ProtectKernelTunables=true
+ProtectProc=invisible
 ProtectSystem=full
 
 Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@

playout/install/systemd/libretime-playout.service

@@ -13,9 +13,11 @@ PrivateUsers=true
 ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
+ProtectHostname=true
 ProtectKernelLogs=true
 ProtectKernelModules=true
 ProtectKernelTunables=true
+ProtectProc=invisible
 ProtectSystem=full
 
 Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@

worker/install/systemd/libretime-worker.service

@@ -11,9 +11,11 @@ PrivateUsers=true
 ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
+ProtectHostname=true
 ProtectKernelLogs=true
 ProtectKernelModules=true
 ProtectKernelTunables=true
+ProtectProc=invisible
 ProtectSystem=full
 
 Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@