fix: Add some security to the service

dadav · Jul 1, 2024 · 7ae21f8 · 7ae21f8
1 parent a3dfaf1
commit 7ae21f8
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/gorge.service b/gorge.service
@@ -4,6 +4,22 @@ Description=Gorge is a puppet forge server written in Go
 [Service]
 Type=simple
 ExecStart=/usr/bin/gorge --config /etc/gorge.yaml serve
+Restart=on-failure
+NoNewPrivileges=yes
+PrivateTmp=yes
+DevicePolicy=closed
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+MemoryDenyWriteExecute=yes
+LockPersonality=yes
+ProtectClock=yes
+ProtectHostname=yes
+PrivateUsers=yes
 
 [Install]
 WantedBy=multi-user.target