indymedia
/
epicyon
mirror of https://gitlab.com/bashrc2/epicyon
7
4
Fork 1
Code Issues 14 Releases Wiki Activity

More secure systemd settings

merge-requests/30/head
Bob Mottram 2022-05-19 19:21:19 +01:00
parent c91d4d136e
commit 143b415941
5 changed files with 104 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
README.md
View File

@ -85,6 +85,27 @@ Environment=USER=epicyon
Environment=PYTHONUNBUFFERED=true
Restart=always
StandardError=syslog
CPUQuota=80%
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectHostname=true
ProtectClock=true
ProtectProc=invisible
ProcSubset=pid
PrivateTmp=true
PrivateUsers=true
PrivateDevices=true
PrivateIPC=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
LockPersonality=true
RestrictRealtime=true
RestrictSUIDSGID=true
RestrictNamespaces=true
SystemCallArchitectures=native
[Install]
WantedBy=multi-user.target

21
deploy/i2p
View File

@ -218,6 +218,27 @@ echo 'Creating Epicyon daemon'
echo 'Environment=PYTHONUNBUFFERED=true';
echo 'Restart=always';
echo 'StandardError=syslog';
echo 'CPUQuota=80%';
echo 'ProtectHome=true';
echo 'ProtectKernelTunables=true';
echo 'ProtectKernelModules=true';
echo 'ProtectControlGroups=true';
echo 'ProtectKernelLogs=true';
echo 'ProtectHostname=true';
echo 'ProtectClock=true';
echo 'ProtectProc=invisible';
echo 'ProcSubset=pid';
echo 'PrivateTmp=true';
echo 'PrivateUsers=true';
echo 'PrivateDevices=true';
echo 'PrivateIPC=true';
echo 'MemoryDenyWriteExecute=true';
echo 'NoNewPrivileges=true';
echo 'LockPersonality=true';
echo 'RestrictRealtime=true';
echo 'RestrictSUIDSGID=true';
echo 'RestrictNamespaces=true';
echo 'SystemCallArchitectures=native';
echo '';
echo '[Install]';
echo 'WantedBy=multi-user.target'; } > "/etc/systemd/system/${username}.service"

21
deploy/onion
View File

@ -137,6 +137,27 @@ echo 'Creating Epicyon daemon'
echo 'Environment=PYTHONUNBUFFERED=true';
echo 'Restart=always';
echo 'StandardError=syslog';
echo 'CPUQuota=80%';
echo 'ProtectHome=true';
echo 'ProtectKernelTunables=true';
echo 'ProtectKernelModules=true';
echo 'ProtectControlGroups=true';
echo 'ProtectKernelLogs=true';
echo 'ProtectHostname=true';
echo 'ProtectClock=true';
echo 'ProtectProc=invisible';
echo 'ProcSubset=pid';
echo 'PrivateTmp=true';
echo 'PrivateUsers=true';
echo 'PrivateDevices=true';
echo 'PrivateIPC=true';
echo 'MemoryDenyWriteExecute=true';
echo 'NoNewPrivileges=true';
echo 'LockPersonality=true';
echo 'RestrictRealtime=true';
echo 'RestrictSUIDSGID=true';
echo 'RestrictNamespaces=true';
echo 'SystemCallArchitectures=native';
echo '';
echo '[Install]';
echo 'WantedBy=multi-user.target'; } > "/etc/systemd/system/${username}.service"

22
gemini/EN/install.gmi
View File

@ -47,6 +47,26 @@ Paste the following:
Restart=always
StandardError=syslog
CPUQuota=80%
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectHostname=true
ProtectClock=true
ProtectProc=invisible
ProcSubset=pid
PrivateTmp=true
PrivateUsers=true
PrivateDevices=true
PrivateIPC=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
LockPersonality=true
RestrictRealtime=true
RestrictSUIDSGID=true
RestrictNamespaces=true
SystemCallArchitectures=native
[Install]
WantedBy=multi-user.target
@ -135,7 +155,7 @@ And paste the following:
proxy_request_buffering off;
proxy_buffering off;
proxy_pass http://localhost:7156;
tcp_nodelay on;
tcp_nodelay on;
}
}

20
website/EN/index.html
View File

@ -1378,6 +1378,26 @@
Restart=always<br>
StandardError=syslog<br>
CPUQuota=80%<br>
ProtectHome=true<br>
ProtectKernelTunables=true<br>
ProtectKernelModules=true<br>
ProtectControlGroups=true<br>
ProtectKernelLogs=true<br>
ProtectHostname=true<br>
ProtectClock=true<br>
ProtectProc=invisible<br>
ProcSubset=pid<br>
PrivateTmp=true<br>
PrivateUsers=true<br>
PrivateDevices=true<br>
PrivateIPC=true<br>
MemoryDenyWriteExecute=true<br>
NoNewPrivileges=true<br>
LockPersonality=true<br>
RestrictRealtime=true<br>
RestrictSUIDSGID=true<br>
RestrictNamespaces=true<br>
SystemCallArchitectures=native<br>
<br>
[Install]<br>
WantedBy=multi-user.target