Congegni/sintonia
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

feat: systemd service hardening (#2186)

Browse source
This commit is contained in:
Jonas L 2022-09-27 11:51:17 +02:00 committed by GitHub
parent 96cc2b59f5
commit 4c18cf5ef2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 82 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

18
worker/install/systemd/libretime-worker.service
View file

@ -3,8 +3,21 @@ Description=LibreTime Worker Service
PartOf=libretime.target
[Service]
Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/worker.log
NoNewPrivileges=true
CapabilityBoundingSet=
PrivateDevices=true
PrivateTmp=true
PrivateUsers=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@
Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/worker.log
WorkingDirectory=@@WORKING_DIR@@/worker
ExecStart=/usr/bin/sh -c 'celery worker \
@ -14,9 +27,10 @@ ExecStart=/usr/bin/sh -c 'celery worker \
--concurrency=1 \
--loglevel=INFO \
--logfile=$LIBRETIME_LOG_FILEPATH'
Restart=always
User=libretime
Group=libretime
Restart=always
[Install]
WantedBy=multi-user.target