Congegni/sintonia
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

feat: systemd service hardening (#2186)

Browse source
This commit is contained in:
Jonas L 2022-09-27 11:51:17 +02:00 committed by GitHub
parent 96cc2b59f5
commit 4c18cf5ef2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 82 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

18
analyzer/install/systemd/libretime-analyzer.service
View file

@ -3,14 +3,28 @@ Description=LibreTime Media Analyzer Service
PartOf=libretime.target
[Service]
Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/analyzer.log
NoNewPrivileges=true
CapabilityBoundingSet=
PrivateDevices=true
PrivateTmp=true
PrivateUsers=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@
Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/analyzer.log
WorkingDirectory=@@WORKING_DIR@@/analyzer
ExecStart=/usr/local/bin/libretime-analyzer
Restart=always
User=libretime
Group=libretime
Restart=always
[Install]
WantedBy=multi-user.target