From 3b0275ba5b773feca70ed92db8c8f240e93107ce Mon Sep 17 00:00:00 2001 From: yalh76 Date: Sat, 28 Dec 2024 01:29:20 +0100 Subject: Implement yarn 4.5, new active_record_encryption and mastodon default services --- conf/mastodon-streaming.service | 36 ++++++++++++++++++++---------------- 1 file changed, 20 insertions(+), 16 deletions(-) (limited to 'conf/mastodon-streaming.service') diff --git a/conf/mastodon-streaming.service b/conf/mastodon-streaming.service index f63945e..f29e527 100644 --- a/conf/mastodon-streaming.service +++ b/conf/mastodon-streaming.service @@ -1,5 +1,5 @@ [Unit] -Description=__APP__-streaming +Description=__APP__-streaming on port __PORT_STREAM_ After=network.target [Service] @@ -16,22 +16,26 @@ Restart=always StandardOutput=append:/var/log/__APP__/__APP__-streaming.log StandardError=inherit -# Sandboxing options to harden security -# Depending on specificities of your service/app, you may need to tweak these -# .. but this should be a good baseline -# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html -NoNewPrivileges=yes -PrivateTmp=yes -PrivateDevices=yes -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK -RestrictNamespaces=yes -RestrictRealtime=yes -DevicePolicy=closed +# Proc filesystem +# Capabilities +# Security +NoNewPrivileges=true +# Sandboxing ProtectSystem=full -ProtectControlGroups=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -LockPersonality=yes +PrivateTmp=true +PrivateDevices=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectControlGroups=true +RestrictAddressFamilies=AF_INET +RestrictAddressFamilies=AF_INET6 +RestrictAddressFamilies=AF_NETLINK +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=true +LockPersonality=true +RestrictRealtime=true +DevicePolicy=closed +# System Call Filtering SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap # Denying access to capabilities that should not be relevant for webapps -- cgit v1.2.3-70-g09d2 From ae23701d446549aca12e5e3bd31a8dc15a65ff86 Mon Sep 17 00:00:00 2001 From: yalh76 Date: Sun, 29 Dec 2024 17:21:26 +0100 Subject: Update mastodon-streaming.service --- conf/mastodon-streaming.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'conf/mastodon-streaming.service') diff --git a/conf/mastodon-streaming.service b/conf/mastodon-streaming.service index f29e527..963a316 100644 --- a/conf/mastodon-streaming.service +++ b/conf/mastodon-streaming.service @@ -1,5 +1,5 @@ [Unit] -Description=__APP__-streaming on port __PORT_STREAM_ +Description=__APP__-streaming on port __PORT_STREAM__ After=network.target [Service] -- cgit v1.2.3-70-g09d2