Congegni
/
libretime
mirror of https://github.com/libretime/libretime.git
7
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

feat: systemd service hardening (#2186)

This commit is contained in:
Jonas L 2022-09-27 11:51:17 +02:00 committed by GitHub
parent 96cc2b59f5
commit 4c18cf5ef2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 82 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
analyzer/install/systemd/libretime-analyzer.service
View File

@ -3,14 +3,28 @@ Description=LibreTime Media Analyzer Service
PartOf=libretime.target PartOf=libretime.target
[Service] [Service]
Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/analyzer.log NoNewPrivileges=true
CapabilityBoundingSet=
PrivateDevices=true
PrivateTmp=true
PrivateUsers=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@ Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@
Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/analyzer.log
WorkingDirectory=@@WORKING_DIR@@/analyzer WorkingDirectory=@@WORKING_DIR@@/analyzer
ExecStart=/usr/local/bin/libretime-analyzer ExecStart=/usr/local/bin/libretime-analyzer
Restart=always
User=libretime User=libretime
Group=libretime Group=libretime
Restart=always
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

24
api/install/systemd/libretime-api.service
View File

@ -4,13 +4,24 @@ Requires=libretime-api.socket
PartOf=libretime.target PartOf=libretime.target
[Service] [Service]
NoNewPrivileges=true
CapabilityBoundingSet=
PrivateDevices=true
PrivateTmp=true
PrivateUsers=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@
Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/api.log
Type=notify Type=notify
KillMode=mixed KillMode=mixed
PrivateTmp=true
Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/api.log
Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@
ExecStart=/usr/bin/gunicorn \ ExecStart=/usr/bin/gunicorn \
--workers 4 \ --workers 4 \
--worker-class uvicorn.workers.UvicornWorker \ --worker-class uvicorn.workers.UvicornWorker \
@ -18,9 +29,10 @@ ExecStart=/usr/bin/gunicorn \
--bind unix:/run/libretime-api.sock \ --bind unix:/run/libretime-api.sock \
libretime_api.asgi libretime_api.asgi
ExecReload=/bin/kill -s HUP $MAINPID ExecReload=/bin/kill -s HUP $MAINPID
Restart=always
User=libretime User=libretime
Group=libretime Group=libretime
Restart=always
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

18
playout/install/systemd/libretime-liquidsoap.service
View File

@ -3,14 +3,28 @@ Description=LibreTime Liquidsoap Service
PartOf=libretime.target PartOf=libretime.target
[Service] [Service]
Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/liquidsoap.log NoNewPrivileges=true
CapabilityBoundingSet=
PrivateDevices=true
PrivateTmp=true
PrivateUsers=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@ Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@
Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/liquidsoap.log
WorkingDirectory=@@WORKING_DIR@@/playout WorkingDirectory=@@WORKING_DIR@@/playout
ExecStart=/usr/local/bin/libretime-liquidsoap ExecStart=/usr/local/bin/libretime-liquidsoap
Restart=always
User=libretime User=libretime
Group=libretime Group=libretime
Restart=always
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

18
playout/install/systemd/libretime-playout.service
View File

@ -5,14 +5,28 @@ Wants=libretime-liquidsoap.service
After=libretime-liquidsoap.service After=libretime-liquidsoap.service
[Service] [Service]
Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/playout.log NoNewPrivileges=true
CapabilityBoundingSet=
PrivateDevices=true
PrivateTmp=true
PrivateUsers=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@ Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@
Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/playout.log
WorkingDirectory=@@WORKING_DIR@@/playout WorkingDirectory=@@WORKING_DIR@@/playout
ExecStart=/usr/local/bin/libretime-playout ExecStart=/usr/local/bin/libretime-playout
Restart=always
User=libretime User=libretime
Group=libretime Group=libretime
Restart=always
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

18
worker/install/systemd/libretime-worker.service
View File

@ -3,8 +3,21 @@ Description=LibreTime Worker Service
PartOf=libretime.target PartOf=libretime.target
[Service] [Service]
Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/worker.log NoNewPrivileges=true
CapabilityBoundingSet=
PrivateDevices=true
PrivateTmp=true
PrivateUsers=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@ Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@
Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/worker.log
WorkingDirectory=@@WORKING_DIR@@/worker WorkingDirectory=@@WORKING_DIR@@/worker
ExecStart=/usr/bin/sh -c 'celery worker \ ExecStart=/usr/bin/sh -c 'celery worker \
@ -14,9 +27,10 @@ ExecStart=/usr/bin/sh -c 'celery worker \
--concurrency=1 \ --concurrency=1 \
--loglevel=INFO \ --loglevel=INFO \
--logfile=$LIBRETIME_LOG_FILEPATH' --logfile=$LIBRETIME_LOG_FILEPATH'
Restart=always
User=libretime User=libretime
Group=libretime Group=libretime
Restart=always
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target