From d946ee4079ee7d8d1a284bd3d0dcb9a07ada2da5 Mon Sep 17 00:00:00 2001
From: Thomas <51749973+Thovi98@users.noreply.github.com>
Date: Thu, 9 Nov 2023 18:33:38 +0100
Subject: [PATCH] fixes systemd

---
 conf/bookwyrm-beat.service   | 4 ++--
 conf/bookwyrm-server.service | 4 ++++
 conf/bookwyrm-worker.service | 8 +++++++-
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/conf/bookwyrm-beat.service b/conf/bookwyrm-beat.service
index 0094854..3d126df 100644
--- a/conf/bookwyrm-beat.service
+++ b/conf/bookwyrm-beat.service
@@ -16,10 +16,10 @@ ProtectHome=tmpfs
 InaccessiblePaths=-/media -/mnt -/srv
 PrivateTmp=yes
 TemporaryFileSystem=/var /run
-PrivateUsers=true
+#PrivateUsers=true
 PrivateDevices=true
 BindReadOnlyPaths=__INSTALL_DIR__
-BindPaths=__INSTALL_DIR__/images __INSTALL_DIR__/static /var/run/postgresql
+#BindPaths=__INSTALL_DIR__/images __INSTALL_DIR__/static /var/run/postgresql
 LockPersonality=yes
 MemoryDenyWriteExecute=true
 PrivateMounts=true
diff --git a/conf/bookwyrm-server.service b/conf/bookwyrm-server.service
index 1c5ca73..60a0061 100644
--- a/conf/bookwyrm-server.service
+++ b/conf/bookwyrm-server.service
@@ -32,6 +32,10 @@ ProtectControlGroups=true
 RestrictRealtime=true
 RestrictNamespaces=net
 
+NoNewPrivileges=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+DevicePolicy=closed
+ProtectProc=invisible
 SystemCallArchitectures=native
 SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
 
diff --git a/conf/bookwyrm-worker.service b/conf/bookwyrm-worker.service
index f3e9a12..e205b80 100644
--- a/conf/bookwyrm-worker.service
+++ b/conf/bookwyrm-worker.service
@@ -19,7 +19,7 @@ TemporaryFileSystem=/var /run
 #PrivateUsers=true
 PrivateDevices=true
 BindReadOnlyPaths=__INSTALL_DIR__
-BindPaths=__INSTALL_DIR__/images __INSTALL_DIR__/static /var/run/postgresql
+#BindPaths=__INSTALL_DIR__/images __INSTALL_DIR__/static /var/run/postgresql
 LockPersonality=yes
 MemoryDenyWriteExecute=true
 PrivateMounts=true
@@ -32,6 +32,12 @@ ProtectControlGroups=true
 RestrictRealtime=true
 RestrictNamespaces=net
 
+NoNewPrivileges=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+DevicePolicy=closed
+ProtectProc=invisible
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
 
 # Denying access to capabilities that should not be relevant for webapps
 # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html