From 57762eb804c7cdd06ff3fad1f91c33216abe56c8 Mon Sep 17 00:00:00 2001
From: Jean-Baptiste Holcroft <jean-baptiste@holcroft.fr>
Date: Sun, 21 Oct 2018 11:15:08 +0200
Subject: [PATCH] Add more security to systemd files

---
 conf/funkwhale-beat.service   | 16 +++++++++++++++-
 conf/funkwhale-server.service | 18 ++++++++++++++++--
 conf/funkwhale-worker.service | 18 ++++++++++++++++--
 3 files changed, 47 insertions(+), 5 deletions(-)

diff --git a/conf/funkwhale-beat.service b/conf/funkwhale-beat.service
index f210dc8..da75461 100644
--- a/conf/funkwhale-beat.service
+++ b/conf/funkwhale-beat.service
@@ -5,10 +5,24 @@ PartOf=__APP__.target
 
 [Service]
 User=__APP__
-# adapt this depending on the path of your funkwhale installation
+Group=__APP__
 WorkingDirectory=__FINALPATH__/code/api
 EnvironmentFile=__FINALPATH__/code/config/.env
 ExecStart=__FINALPATH__/code/virtualenv/bin/celery -A funkwhale_api.taskapp beat -l INFO
 
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectHome=true
+ProtectSystem=strict
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ReadOnlyPaths=__FINALPATH__/code/config/.env __FINALPATH__/code/
+ReadWritePaths=__FINALPATH__/media __FINALPATH__/import __FINALPATH__/code/api
+
+StandardOutput=syslog
+StandardError=syslog
+SyslogIdentifier=__APP__-beat
+
 [Install]
 WantedBy=multi-user.target
\ No newline at end of file
diff --git a/conf/funkwhale-server.service b/conf/funkwhale-server.service
index a357f89..2e5705d 100644
--- a/conf/funkwhale-server.service
+++ b/conf/funkwhale-server.service
@@ -5,10 +5,24 @@ PartOf=__APP__.target
 
 [Service]
 User=__APP__
-# adapt this depending on the path of your funkwhale installation
+Group=__APP__
 WorkingDirectory=__FINALPATH__/code/api
 EnvironmentFile=__FINALPATH__/code/config/.env
 ExecStart=__FINALPATH__/code/virtualenv/bin/daphne -b ${FUNKWHALE_API_IP} -p ${FUNKWHALE_API_PORT} config.asgi:application --proxy-headers
 
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectHome=true
+ProtectSystem=strict
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ReadOnlyPaths=__FINALPATH__/code/config/.env __FINALPATH__/code/
+ReadWritePaths=__FINALPATH__/media __FINALPATH__/import
+
+StandardOutput=syslog
+StandardError=syslog
+SyslogIdentifier=__APP__-server
+
 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target
\ No newline at end of file
diff --git a/conf/funkwhale-worker.service b/conf/funkwhale-worker.service
index ebf88b0..2a8bfbf 100644
--- a/conf/funkwhale-worker.service
+++ b/conf/funkwhale-worker.service
@@ -5,10 +5,24 @@ PartOf=__APP__.target
 
 [Service]
 User=__APP__
-# adapt this depending on the path of your funkwhale installation
+Group=__APP__
 WorkingDirectory=__FINALPATH__/code/api
 EnvironmentFile=__FINALPATH__/code/config/.env
 ExecStart=__FINALPATH__/code/virtualenv/bin/celery -A funkwhale_api.taskapp worker -l INFO
 
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectHome=true
+ProtectSystem=strict
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ReadOnlyPaths=__FINALPATH__/code/config/.env __FINALPATH__/code/
+ReadWritePaths=__FINALPATH__/media __FINALPATH__/import
+
+StandardOutput=syslog
+StandardError=syslog
+SyslogIdentifier=__APP__-worker
+
 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target
\ No newline at end of file