rick-infra/roles/valkey/templates/systemd-override.conf.j2

# Redis Systemd Security Override
# Generated by rick-infra Redis role
#
# This file provides additional security hardening for the Redis service
# following the same security patterns as the PostgreSQL role.

[Service]
# Security hardening
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=strict
ProtectHome=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes

# Network security
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX

# Filesystem permissions
ReadWritePaths=/var/lib/valkey
ReadOnlyPaths=/etc/valkey

# System call filtering
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources @obsolete

# Memory and resource limits
MemoryDenyWriteExecute=yes
LockPersonality=yes

# Capabilities
CapabilityBoundingSet=
AmbientCapabilities=

# User and group isolation
DynamicUser=no
User=valkey
Group=valkey

# Process isolation
PrivateUsers=yes
RemoveIPC=yes

# Additional Redis-specific security
UMask=0027