From 288d35ddb66f97e716bd9f249a30d4555685730b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?E=CC=81ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Tue, 17 Oct 2023 17:23:03 +0200 Subject: [PATCH] cleaning --- conf/systemd.service | 49 -------------------------------------------- scripts/upgrade | 8 ++++---- 2 files changed, 4 insertions(+), 53 deletions(-) delete mode 100644 conf/systemd.service diff --git a/conf/systemd.service b/conf/systemd.service deleted file mode 100644 index f100e84..0000000 --- a/conf/systemd.service +++ /dev/null @@ -1,49 +0,0 @@ -[Unit] -Description=Small description of the service -After=network.target - -[Service] -Type=simple -User=__APP__ -Group=__APP__ -WorkingDirectory=__INSTALL_DIR__/ -ExecStart=__INSTALL_DIR__/script -StandardOutput=append:/var/log/__APP__/__APP__.log -StandardError=inherit - -# Sandboxing options to harden security -# Depending on specificities of your service/app, you may need to tweak these -# .. but this should be a good baseline -# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html -NoNewPrivileges=yes -PrivateTmp=yes -PrivateDevices=yes -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK -RestrictNamespaces=yes -RestrictRealtime=yes -DevicePolicy=closed -ProtectClock=yes -ProtectHostname=yes -ProtectProc=invisible -ProtectSystem=full -ProtectControlGroups=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -LockPersonality=yes -SystemCallArchitectures=native -SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged - -# Denying access to capabilities that should not be relevant for webapps -# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html -CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD -CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE -CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT -CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK -CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM -CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG -CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE -CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW -CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG - -[Install] -WantedBy=multi-user.target diff --git a/scripts/upgrade b/scripts/upgrade index d8a487a..f408957 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -46,12 +46,12 @@ ynh_add_nginx_config #================================================= # UPDATE A CONFIG FILE #================================================= -ynh_script_progression --message="Updating a configuration file..." --weight=1 +#ynh_script_progression --message="Updating a configuration file..." --weight=1 -ynh_add_config --template="config.json" --destination="$install_dir/public/config.json" +#ynh_add_config --template="config.json" --destination="$install_dir/public/config.json" -chmod 400 "$install_dir/public/config.json" -chown $app:$app "$install_dir/public/config.json" +#chmod 400 "$install_dir/public/config.json" +#chown $app:$app "$install_dir/public/config.json" #================================================= # END OF SCRIPT