Congegni/sintonia
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

feat: systemd service hardening (#2186)

Browse source
This commit is contained in:
Jonas L 2022-09-27 11:51:17 +02:00 committed by GitHub
parent 96cc2b59f5
commit 4c18cf5ef2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 82 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

24
api/install/systemd/libretime-api.service
View file

@ -4,13 +4,24 @@ Requires=libretime-api.socket
PartOf=libretime.target
[Service]
NoNewPrivileges=true
CapabilityBoundingSet=
PrivateDevices=true
PrivateTmp=true
PrivateUsers=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@
Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/api.log
Type=notify
KillMode=mixed
PrivateTmp=true
Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/api.log
Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@
ExecStart=/usr/bin/gunicorn \
--workers 4 \
--worker-class uvicorn.workers.UvicornWorker \
@ -18,9 +29,10 @@ ExecStart=/usr/bin/gunicorn \
--bind unix:/run/libretime-api.sock \
libretime_api.asgi
ExecReload=/bin/kill -s HUP $MAINPID
Restart=always
User=libretime
Group=libretime
Restart=always
[Install]
WantedBy=multi-user.target