Update readme

README.md

@@ -85,6 +85,27 @@ Environment=USER=epicyon
 Environment=PYTHONUNBUFFERED=true
 Restart=always
 StandardError=syslog
+CPUQuota=80%
+ProtectHome=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+ProtectKernelLogs=true
+ProtectHostname=true
+ProtectClock=true
+ProtectProc=invisible
+ProcSubset=pid
+PrivateTmp=true
+PrivateUsers=true
+PrivateDevices=true
+PrivateIPC=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+LockPersonality=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RestrictNamespaces=true
+SystemCallArchitectures=native
 
 [Install]
 WantedBy=multi-user.target

deploy/i2p

@@ -218,6 +218,27 @@ echo 'Creating Epicyon daemon'
   echo 'Environment=PYTHONUNBUFFERED=true';
   echo 'Restart=always';
   echo 'StandardError=syslog';
+  echo 'CPUQuota=80%';
+  echo 'ProtectHome=true';
+  echo 'ProtectKernelTunables=true';
+  echo 'ProtectKernelModules=true';
+  echo 'ProtectControlGroups=true';
+  echo 'ProtectKernelLogs=true';
+  echo 'ProtectHostname=true';
+  echo 'ProtectClock=true';
+  echo 'ProtectProc=invisible';
+  echo 'ProcSubset=pid';
+  echo 'PrivateTmp=true';
+  echo 'PrivateUsers=true';
+  echo 'PrivateDevices=true';
+  echo 'PrivateIPC=true';
+  echo 'MemoryDenyWriteExecute=true';
+  echo 'NoNewPrivileges=true';
+  echo 'LockPersonality=true';
+  echo 'RestrictRealtime=true';
+  echo 'RestrictSUIDSGID=true';
+  echo 'RestrictNamespaces=true';
+  echo 'SystemCallArchitectures=native';
   echo '';
   echo '[Install]';
   echo 'WantedBy=multi-user.target'; } > "/etc/systemd/system/${username}.service"

deploy/onion

@@ -137,6 +137,27 @@ echo 'Creating Epicyon daemon'
   echo 'Environment=PYTHONUNBUFFERED=true';
   echo 'Restart=always';
   echo 'StandardError=syslog';
+  echo 'CPUQuota=80%';
+  echo 'ProtectHome=true';
+  echo 'ProtectKernelTunables=true';
+  echo 'ProtectKernelModules=true';
+  echo 'ProtectControlGroups=true';
+  echo 'ProtectKernelLogs=true';
+  echo 'ProtectHostname=true';
+  echo 'ProtectClock=true';
+  echo 'ProtectProc=invisible';
+  echo 'ProcSubset=pid';
+  echo 'PrivateTmp=true';
+  echo 'PrivateUsers=true';
+  echo 'PrivateDevices=true';
+  echo 'PrivateIPC=true';
+  echo 'MemoryDenyWriteExecute=true';
+  echo 'NoNewPrivileges=true';
+  echo 'LockPersonality=true';
+  echo 'RestrictRealtime=true';
+  echo 'RestrictSUIDSGID=true';
+  echo 'RestrictNamespaces=true';
+  echo 'SystemCallArchitectures=native';
   echo '';
   echo '[Install]';
   echo 'WantedBy=multi-user.target'; } > "/etc/systemd/system/${username}.service"

gemini/EN/install.gmi

@@ -47,6 +47,26 @@ Paste the following:
     Restart=always
     StandardError=syslog
     CPUQuota=80%
+    ProtectHome=true
+    ProtectKernelTunables=true
+    ProtectKernelModules=true
+    ProtectControlGroups=true
+    ProtectKernelLogs=true
+    ProtectHostname=true
+    ProtectClock=true
+    ProtectProc=invisible
+    ProcSubset=pid
+    PrivateTmp=true
+    PrivateUsers=true
+    PrivateDevices=true
+    PrivateIPC=true
+    MemoryDenyWriteExecute=true
+    NoNewPrivileges=true
+    LockPersonality=true
+    RestrictRealtime=true
+    RestrictSUIDSGID=true
+    RestrictNamespaces=true
+    SystemCallArchitectures=native
 
     [Install]
     WantedBy=multi-user.target

website/EN/index.html

@@ -1378,6 +1378,26 @@
       Restart=always<br>
       StandardError=syslog<br>
       CPUQuota=80%<br>
+      ProtectHome=true<br>
+      ProtectKernelTunables=true<br>
+      ProtectKernelModules=true<br>
+      ProtectControlGroups=true<br>
+      ProtectKernelLogs=true<br>
+      ProtectHostname=true<br>
+      ProtectClock=true<br>
+      ProtectProc=invisible<br>
+      ProcSubset=pid<br>
+      PrivateTmp=true<br>
+      PrivateUsers=true<br>
+      PrivateDevices=true<br>
+      PrivateIPC=true<br>
+      MemoryDenyWriteExecute=true<br>
+      NoNewPrivileges=true<br>
+      LockPersonality=true<br>
+      RestrictRealtime=true<br>
+      RestrictSUIDSGID=true<br>
+      RestrictNamespaces=true<br>
+      SystemCallArchitectures=native<br>      
       <br>
       [Install]<br>
       WantedBy=multi-user.target