systemd service hardening
+ add systemd protective features to restrict the system access + add service documentation link + add service required / after fields
This commit is contained in:
parent
6c08f4bb64
commit
a6d1ae443e
|
@ -1,5 +1,7 @@
|
||||||
[Unit]
|
[Unit]
|
||||||
Description=Clean up ejabberd
|
Description=Clean up ejabberd
|
||||||
|
Documentation=https://dev.sum7.eu/sum7/ejabberd-tools/-/blob/master/README.md
|
||||||
|
Requires=ejabberd.service
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
|
@ -8,6 +10,13 @@ Group=nobody
|
||||||
Environment="PATH=/opt/ejabberd-tools/venv/bin:/usr/local/bin:/usr/bin:/bin"
|
Environment="PATH=/opt/ejabberd-tools/venv/bin:/usr/local/bin:/usr/bin:/bin"
|
||||||
ExecStart=/opt/ejabberd-tools/cleanup.py
|
ExecStart=/opt/ejabberd-tools/cleanup.py
|
||||||
WorkingDirectory=/opt/ejabberd-tools/
|
WorkingDirectory=/opt/ejabberd-tools/
|
||||||
|
PrivateDevices=true
|
||||||
|
ProtectControlGroups=true
|
||||||
|
ProtectHome=true
|
||||||
|
ProtectKernelTunables=true
|
||||||
|
ProtectKernelModules=yes
|
||||||
|
ProtectSystem=full
|
||||||
|
NoNewPrivileges=yes
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
|
|
@ -1,5 +1,8 @@
|
||||||
[Unit]
|
[Unit]
|
||||||
Description=ejabberd prometheus exporter
|
Description=ejabberd prometheus exporter
|
||||||
|
Documentation=https://dev.sum7.eu/sum7/ejabberd-tools/-/blob/master/README.md
|
||||||
|
After=prometheus.service
|
||||||
|
Requires=ejabberd.service prometheus.service
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=simple
|
Type=simple
|
||||||
|
@ -8,6 +11,13 @@ Group=nobody
|
||||||
Environment="PATH=/opt/ejabberd-tools/venv/bin:/usr/local/bin:/usr/bin:/bin"
|
Environment="PATH=/opt/ejabberd-tools/venv/bin:/usr/local/bin:/usr/bin:/bin"
|
||||||
ExecStart=/opt/ejabberd-tools/prometheus.py
|
ExecStart=/opt/ejabberd-tools/prometheus.py
|
||||||
WorkingDirectory=/opt/ejabberd-tools/
|
WorkingDirectory=/opt/ejabberd-tools/
|
||||||
|
PrivateDevices=true
|
||||||
|
ProtectControlGroups=true
|
||||||
|
ProtectHome=true
|
||||||
|
ProtectKernelTunables=true
|
||||||
|
ProtectKernelModules=yes
|
||||||
|
ProtectSystem=full
|
||||||
|
NoNewPrivileges=yes
|
||||||
Restart=always
|
Restart=always
|
||||||
RestartSec=5s
|
RestartSec=5s
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,8 @@
|
||||||
[Unit]
|
[Unit]
|
||||||
Description=ejabberd influxdb exporter
|
Description=ejabberd influxdb exporter
|
||||||
|
Documentation=https://dev.sum7.eu/sum7/ejabberd-tools/-/blob/master/README.md
|
||||||
|
After=influxdb.service
|
||||||
|
Requires=ejabberd.service influxdb.service
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=simple
|
Type=simple
|
||||||
|
@ -8,6 +11,13 @@ Group=nogroup
|
||||||
Environment="PATH=/opt/ejabberd-tools/venv/bin:/usr/local/bin:/usr/bin:/bin"
|
Environment="PATH=/opt/ejabberd-tools/venv/bin:/usr/local/bin:/usr/bin:/bin"
|
||||||
ExecStart=/opt/ejabberd-tools/influx.py
|
ExecStart=/opt/ejabberd-tools/influx.py
|
||||||
WorkingDirectory=/opt/ejabberd-tools/
|
WorkingDirectory=/opt/ejabberd-tools/
|
||||||
|
PrivateDevices=true
|
||||||
|
ProtectControlGroups=true
|
||||||
|
ProtectHome=true
|
||||||
|
ProtectKernelTunables=true
|
||||||
|
ProtectKernelModules=yes
|
||||||
|
ProtectSystem=full
|
||||||
|
NoNewPrivileges=yes
|
||||||
Restart=always
|
Restart=always
|
||||||
RestartSec=5s
|
RestartSec=5s
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue