feat: systemd service hardening (#2186)
This commit is contained in:
Jonas L
GitHub
parent
96cc2b59f5
commit
4c18cf5ef2
|
|
@ -3,14 +3,28 @@ Description=LibreTime Media Analyzer Service
|
|||
PartOf=libretime.target
|
||||
|
||||
[Service]
|
||||
Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/analyzer.log
|
||||
NoNewPrivileges=true
|
||||
CapabilityBoundingSet=
|
||||
PrivateDevices=true
|
||||
PrivateTmp=true
|
||||
PrivateUsers=true
|
||||
ProtectClock=true
|
||||
ProtectControlGroups=true
|
||||
ProtectHome=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectSystem=full
|
||||
|
||||
Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@
|
||||
Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/analyzer.log
|
||||
WorkingDirectory=@@WORKING_DIR@@/analyzer
|
||||
|
||||
ExecStart=/usr/local/bin/libretime-analyzer
|
||||
Restart=always
|
||||
|
||||
User=libretime
|
||||
Group=libretime
|
||||
Restart=always
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
|
|||
|
|
@ -4,13 +4,24 @@ Requires=libretime-api.socket
|
|||
PartOf=libretime.target
|
||||
|
||||
[Service]
|
||||
NoNewPrivileges=true
|
||||
CapabilityBoundingSet=
|
||||
PrivateDevices=true
|
||||
PrivateTmp=true
|
||||
PrivateUsers=true
|
||||
ProtectClock=true
|
||||
ProtectControlGroups=true
|
||||
ProtectHome=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectSystem=full
|
||||
|
||||
Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@
|
||||
Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/api.log
|
||||
|
||||
Type=notify
|
||||
KillMode=mixed
|
||||
PrivateTmp=true
|
||||
|
||||
Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/api.log
|
||||
Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@
|
||||
|
||||
ExecStart=/usr/bin/gunicorn \
|
||||
--workers 4 \
|
||||
--worker-class uvicorn.workers.UvicornWorker \
|
||||
|
|
@ -18,9 +29,10 @@ ExecStart=/usr/bin/gunicorn \
|
|||
--bind unix:/run/libretime-api.sock \
|
||||
libretime_api.asgi
|
||||
ExecReload=/bin/kill -s HUP $MAINPID
|
||||
Restart=always
|
||||
|
||||
User=libretime
|
||||
Group=libretime
|
||||
Restart=always
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
|
|||
|
|
@ -3,14 +3,28 @@ Description=LibreTime Liquidsoap Service
|
|||
PartOf=libretime.target
|
||||
|
||||
[Service]
|
||||
Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/liquidsoap.log
|
||||
NoNewPrivileges=true
|
||||
CapabilityBoundingSet=
|
||||
PrivateDevices=true
|
||||
PrivateTmp=true
|
||||
PrivateUsers=true
|
||||
ProtectClock=true
|
||||
ProtectControlGroups=true
|
||||
ProtectHome=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectSystem=full
|
||||
|
||||
Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@
|
||||
Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/liquidsoap.log
|
||||
WorkingDirectory=@@WORKING_DIR@@/playout
|
||||
|
||||
ExecStart=/usr/local/bin/libretime-liquidsoap
|
||||
Restart=always
|
||||
|
||||
User=libretime
|
||||
Group=libretime
|
||||
Restart=always
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
|
|||
|
|
@ -5,14 +5,28 @@ Wants=libretime-liquidsoap.service
|
|||
After=libretime-liquidsoap.service
|
||||
|
||||
[Service]
|
||||
Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/playout.log
|
||||
NoNewPrivileges=true
|
||||
CapabilityBoundingSet=
|
||||
PrivateDevices=true
|
||||
PrivateTmp=true
|
||||
PrivateUsers=true
|
||||
ProtectClock=true
|
||||
ProtectControlGroups=true
|
||||
ProtectHome=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectSystem=full
|
||||
|
||||
Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@
|
||||
Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/playout.log
|
||||
WorkingDirectory=@@WORKING_DIR@@/playout
|
||||
|
||||
ExecStart=/usr/local/bin/libretime-playout
|
||||
Restart=always
|
||||
|
||||
User=libretime
|
||||
Group=libretime
|
||||
Restart=always
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
|
|||
|
|
@ -3,8 +3,21 @@ Description=LibreTime Worker Service
|
|||
PartOf=libretime.target
|
||||
|
||||
[Service]
|
||||
Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/worker.log
|
||||
NoNewPrivileges=true
|
||||
CapabilityBoundingSet=
|
||||
PrivateDevices=true
|
||||
PrivateTmp=true
|
||||
PrivateUsers=true
|
||||
ProtectClock=true
|
||||
ProtectControlGroups=true
|
||||
ProtectHome=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectSystem=full
|
||||
|
||||
Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@
|
||||
Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/worker.log
|
||||
WorkingDirectory=@@WORKING_DIR@@/worker
|
||||
|
||||
ExecStart=/usr/bin/sh -c 'celery worker \
|
||||
|
|
@ -14,9 +27,10 @@ ExecStart=/usr/bin/sh -c 'celery worker \
|
|||
--concurrency=1 \
|
||||
--loglevel=INFO \
|
||||
--logfile=$LIBRETIME_LOG_FILEPATH'
|
||||
Restart=always
|
||||
|
||||
User=libretime
|
||||
Group=libretime
|
||||
Restart=always
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
|
|||
Loading…
Reference in New Issue