Implement yarn 4.5, new active_record_encryption and mastodon default services

1 files changed, 20 insertions, 16 deletions

diff --git a/conf/mastodon-streaming.service b/conf/mastodon-streaming.service
index f63945e..f29e527 100644
--- a/conf/mastodon-streaming.service
+++ b/conf/mastodon-streaming.service
@@ -1,5 +1,5 @@
 [Unit]
-Description=__APP__-streaming
+Description=__APP__-streaming on port __PORT_STREAM_
 After=network.target
 
 [Service]
@@ -16,22 +16,26 @@ Restart=always
 StandardOutput=append:/var/log/__APP__/__APP__-streaming.log
 StandardError=inherit
 
-# Sandboxing options to harden security
-# Depending on specificities of your service/app, you may need to tweak these 
-# .. but this should be a good baseline
-# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
-NoNewPrivileges=yes
-PrivateTmp=yes
-PrivateDevices=yes
-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
-RestrictNamespaces=yes
-RestrictRealtime=yes
-DevicePolicy=closed
+# Proc filesystem
+# Capabilities
+# Security
+NoNewPrivileges=true
+# Sandboxing
 ProtectSystem=full
-ProtectControlGroups=yes
-ProtectKernelModules=yes
-ProtectKernelTunables=yes
-LockPersonality=yes
+PrivateTmp=true
+PrivateDevices=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_INET
+RestrictAddressFamilies=AF_INET6
+RestrictAddressFamilies=AF_NETLINK
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=true
+LockPersonality=true
+RestrictRealtime=true
+DevicePolicy=closed
+# System Call Filtering
 SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
 
 # Denying access to capabilities that should not be relevant for webapps