Congegni/sintonia
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

feat: systemd service hardening (#2186)

Browse source
This commit is contained in:
Jonas L 2022-09-27 11:51:17 +02:00 committed by GitHub
parent 96cc2b59f5
commit 4c18cf5ef2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 82 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

18
playout/install/systemd/libretime-liquidsoap.service
View file

@ -3,14 +3,28 @@ Description=LibreTime Liquidsoap Service
PartOf=libretime.target
[Service]
Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/liquidsoap.log
NoNewPrivileges=true
CapabilityBoundingSet=
PrivateDevices=true
PrivateTmp=true
PrivateUsers=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@
Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/liquidsoap.log
WorkingDirectory=@@WORKING_DIR@@/playout
ExecStart=/usr/local/bin/libretime-liquidsoap
Restart=always
User=libretime
Group=libretime
Restart=always
[Install]
WantedBy=multi-user.target

18
playout/install/systemd/libretime-playout.service
View file

@ -5,14 +5,28 @@ Wants=libretime-liquidsoap.service
After=libretime-liquidsoap.service
[Service]
Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/playout.log
NoNewPrivileges=true
CapabilityBoundingSet=
PrivateDevices=true
PrivateTmp=true
PrivateUsers=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@
Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/playout.log
WorkingDirectory=@@WORKING_DIR@@/playout
ExecStart=/usr/local/bin/libretime-playout
Restart=always
User=libretime
Group=libretime
Restart=always
[Install]
WantedBy=multi-user.target