references to official systemd documentation

article.md

@@ -57,7 +57,7 @@ _Btw, if your systemd service code gets large and you want to wrap it into somet
 
 ### common hardening options (execution environment configuration)
 
-Note, that many of these may cause your service malfunction or even crash. So, always test after applying them.
+These options are described in [official systemd execution environment configuration](https://www.freedesktop.org/software/systemd/man/systemd.exec.html). Note, that many of these may cause your service malfunction or even crash. So, always test after applying them.
 
 ```nix
 # (refer to [capabilities man page](https://www.man7.org/linux/man-pages/man7/capabilities.7.html))
@@ -89,6 +89,7 @@ ProtectKernelTunables = true;
 # some services need `ProtectProc = "invisible"` instead; this option implies `MountAPIVFS`
 ProtectProc = "invisible";
 
+# entire file system hierarchy gets mounted read-only, except `/dev` `/proc` and `/sys`
 ProtectSystem = "strict";
 
 # you need to exclude "AF_UNIX" if unix sockets are not used
@@ -104,17 +105,19 @@ RemoveIPC = true;
 
 # allow general system service operations, except ~@ sets
 # (see full list of predefined system call sets with `systemd-analyze syscall-filter`)
-SystemCallFilter = [ "@system-service" "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid" "~@resources" ];
+SystemCallFilter = [ "@system-service" "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@resources" "~@setuid" ];
 # this disables IPC (some services require IPC, so be careful)
 SystemCallFilter = [ "~@ipc" ];
 ```
 
-#### very specific hardening options (resource control unit settings)
+### some very specific hardening options (resource control unit settings)
 
-When `PrivateDevices` is `true`, all non-pseudo /dev devices are not accessible. You may want to whitelist some. Note, this is not related to filesystems.
+These options are described in [official systemd resource control documentation](https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#Options).
+
+When `PrivateDevices` is `true`, all non-pseudo `/dev` devices are not accessible. You may want to whitelist some. Note, this is not related to filesystems access.
 
 ```nix
-# allow pseudo devices
+# explicitly allow pseudo devices
 DevicePolicy = "closed";
 # explicit list of accessible devices
 DeviceAllow = [ "" ];
@@ -123,11 +126,11 @@ DeviceAllow = [ "" ];
 The following are self-explanatory:
 
 ```nix
-SocketBindAllow = "tcp:80";
 SocketBindDeny = "any";
+SocketBindAllow = "tcp:80";
 ```
 
-#### resources control (limits) for a systemd service
+#### resources limits for a systemd service
 
 Systemd resource control directives allow you to limit resources provided to a service. For example, if `MemoryMax` limit is exceeded, OOM killer gets invoked.
 
@@ -147,9 +150,7 @@ systemd.service = {
 
 `MemoryMax` is the absolute limit. It is recommended to use `MemoryHigh` as the main control mechanism, because it allows to go above the limit, but the processses are heavily slowed down and memory is taken away aggressively according to systemd documentation.
 
-Refer to [official documentation](https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#Options) for many other options.
-
-#### blocking any network connections except localhost
+#### blocking all network connections except localhost
 
 This is appropriate, for example, if a service communicates with outside world via proxy (like `nginx`). And can be configured also with the help of systemd resource control directives, partially mentioned above.