From 5789892d2b2e533ee5331a47b33c5df97ccdbf88 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Thu, 10 Jun 2021 13:25:26 +0200 Subject: [PATCH] contrib: import hardened systemd units I developed these for the NixOS module and have been using them with SQLite for quite some time. --- contrib/pinnwand-reaper.service | 35 ++++++++++++++++++++++++++++++ contrib/pinnwand-reaper.timer | 13 +++++++++++ contrib/pinnwand.service | 38 +++++++++++++++++++++++++++++++++ pinnwand.service-example | 9 -------- 4 files changed, 86 insertions(+), 9 deletions(-) create mode 100644 contrib/pinnwand-reaper.service create mode 100644 contrib/pinnwand-reaper.timer create mode 100644 contrib/pinnwand.service delete mode 100644 pinnwand.service-example diff --git a/contrib/pinnwand-reaper.service b/contrib/pinnwand-reaper.service new file mode 100644 index 0000000..404e180 --- /dev/null +++ b/contrib/pinnwand-reaper.service @@ -0,0 +1,35 @@ +[Unit] +Description=Pinnwand Reaper +Documentation=https://pinnwand.readthedocs.io/en/latest/ + +[Service] +CapabilityBoundingSet= +DevicePolicy=closed +DynamicUser=true +ExecStart=/usr/local/bin/pinnwand --configuration-path /etc/pinnwand.toml -vvvv reap +LockPersonality=true +MemoryDenyWriteExecute=true +PrivateDevices=true +PrivateUsers=true +ProcSubset=pid +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectProc=invisible +RestrictAddressFamilies=AF_UNIX +RestrictAddressFamilies=AF_INET +RestrictAddressFamilies=AF_INET6 +RestrictNamespaces=true +RestrictRealtime=true +StateDirectory=pinnwand +StateDirectoryMode=0700 +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@privileged @resources +UMask=0077 +User=pinnwand + diff --git a/contrib/pinnwand-reaper.timer b/contrib/pinnwand-reaper.timer new file mode 100644 index 0000000..934f49a --- /dev/null +++ b/contrib/pinnwand-reaper.timer @@ -0,0 +1,13 @@ +[Unit] +Description=Clear expired pastes regularly + +[Timer] +AccuracySec=43200s +FixedRandomDelay=true +OnCalendar=daily +Persistent=yes +RandomizedDelaySec=24h +Unit=pinnwand-reaper.service + +[Install] +WantedBy=timers.target diff --git a/contrib/pinnwand.service b/contrib/pinnwand.service new file mode 100644 index 0000000..0d13fc0 --- /dev/null +++ b/contrib/pinnwand.service @@ -0,0 +1,38 @@ +[Unit] +After=network.target +Description=Pinnwannd HTTP Server +Documentation=https://pinnwand.readthedocs.io/en/latest/ + +[Service] +CapabilityBoundingSet= +DevicePolicy=closed +DynamicUser=true +ExecStart=/usr/local/bin/pinnwand --configuration-path /etc/pinnwand.toml http --port 4100 +LockPersonality=true +MemoryDenyWriteExecute=true +PrivateDevices=true +PrivateUsers=true +ProcSubset=pid +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectProc=invisible +RestrictAddressFamilies=AF_UNIX +RestrictAddressFamilies=AF_INET +RestrictAddressFamilies=AF_INET6 +RestrictNamespaces=true +RestrictRealtime=true +StateDirectory=pinnwand +StateDirectoryMode=0700 +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@privileged @resources +UMask=0077 +User=pinnwand + +[Install] +WantedBy=multi-user.target diff --git a/pinnwand.service-example b/pinnwand.service-example deleted file mode 100644 index e3c1b19..0000000 --- a/pinnwand.service-example +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=pinnwand pastebin - -[Service] -ExecStart=/home/youruser/virtual-environment/bin/pinnwand --configuration-path /home/youruser/pinnwand.toml http -Restart=always - -[Install] -WantedBy=multi-user.target