sum7
/
ejabberd-tools
2
1
Fork 0
Code Issues 1 Pull Requests 1 Projects 1 Releases Wiki Activity

systemd service hardening 

+ add systemd protective features to restrict the system access
+ add service documentation link
+ add service required / after fields
This commit is contained in:
nico 2020-06-10 12:00:12 +02:00
parent 6c08f4bb64
commit a6d1ae443e
Signed by: mightyBroccoli
GPG Key ID: EA7C31AAB1BDC1A2
3 changed files with 29 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
contrib/init/linux-systemd/ejabberd-cleanup.service
View File

@ -1,5 +1,7 @@
[Unit]
Description=Clean up ejabberd
Documentation=https://dev.sum7.eu/sum7/ejabberd-tools/-/blob/master/README.md
Requires=ejabberd.service
[Service]
Type=oneshot
@ -8,6 +10,13 @@ Group=nobody
Environment="PATH=/opt/ejabberd-tools/venv/bin:/usr/local/bin:/usr/bin:/bin"
ExecStart=/opt/ejabberd-tools/cleanup.py
WorkingDirectory=/opt/ejabberd-tools/
PrivateDevices=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=yes
ProtectSystem=full
NoNewPrivileges=yes
[Install]
WantedBy=multi-user.target

10
contrib/init/linux-systemd/ejabberd-exporter.service
View File

@ -1,5 +1,8 @@
[Unit]
Description=ejabberd prometheus exporter
Documentation=https://dev.sum7.eu/sum7/ejabberd-tools/-/blob/master/README.md
After=prometheus.service
Requires=ejabberd.service prometheus.service
[Service]
Type=simple
@ -8,6 +11,13 @@ Group=nobody
Environment="PATH=/opt/ejabberd-tools/venv/bin:/usr/local/bin:/usr/bin:/bin"
ExecStart=/opt/ejabberd-tools/prometheus.py
WorkingDirectory=/opt/ejabberd-tools/
PrivateDevices=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=yes
ProtectSystem=full
NoNewPrivileges=yes
Restart=always
RestartSec=5s

10
contrib/init/linux-systemd/ejabberd-influxdb.service
View File

@ -1,5 +1,8 @@
[Unit]
Description=ejabberd influxdb exporter
Documentation=https://dev.sum7.eu/sum7/ejabberd-tools/-/blob/master/README.md
After=influxdb.service
Requires=ejabberd.service influxdb.service
[Service]
Type=simple
@ -8,6 +11,13 @@ Group=nogroup
Environment="PATH=/opt/ejabberd-tools/venv/bin:/usr/local/bin:/usr/bin:/bin"
ExecStart=/opt/ejabberd-tools/influx.py
WorkingDirectory=/opt/ejabberd-tools/
PrivateDevices=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=yes
ProtectSystem=full
NoNewPrivileges=yes
Restart=always
RestartSec=5s