diff --git a/README.md b/README.md index a0acedc..6eea6b6 100644 --- a/README.md +++ b/README.md @@ -28,9 +28,6 @@ Galène is a videoconference server (an “SFU”) that is easy to deploy and th - streaming video and audio from disk - activity detection - LDAP support - -### Server features - - redistribution of arbitrary numbers of audio and video streams; - text chat; - recording to disk; diff --git a/check_process b/check_process index 89ea880..a7e831f 100644 --- a/check_process +++ b/check_process @@ -15,11 +15,6 @@ setup_private=1 setup_public=1 upgrade=1 - upgrade=1 from_commit=aaae7fbe83ce001fabd40509882e765a5d8da2c1 - # 0.6~ynh1 - upgrade=1 from_commit=c5cc50f1b1f326080f4f657b7805f2c27c1c3f20 - # 0.6.1~ynh1 - upgrade=1 from_commit=f55a3d1990a0fb2fe17eb9b70aefb13337c2b623 # 0.6.1~ynh2 upgrade=1 from_commit=ed1506fa3eb56358fecb06d832c9684acbf682d9 backup_restore=1 @@ -30,6 +25,6 @@ Email= Notification=none ;;; Upgrade options - ; commit=aaae7fbe83ce001fabd40509882e765a5d8da2c1 - name=Testing (#62) + ; commit=ed1506fa3eb56358fecb06d832c9684acbf682d9 + name=0.6.1~ynh2 manifest_arg=domain=DOMAIN&path=PATH&admin=USER&language=fr&is_public=1&password=pass&port=666& diff --git a/conf/systemd.service b/conf/systemd.service index 22f27a4..e17fa3f 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -11,5 +11,34 @@ WorkingDirectory=__INSTALL_DIR__/live/ ExecStart=__INSTALL_DIR__/live/galene -http "127.0.0.1:__PORT__" -insecure -turn __PUBLIC_IP4__:__PORT_TURN__ -udp-range 49152-65535 -groups __DATA_DIR__/groups -recordings __DATA_DIR__/recordings -data __INSTALL_DIR__/live/data/ LimitNOFILE=65536 +# various hardening options +ReadWritePaths=/var/lib/galene/recordings +CapabilityBoundingSet= +AmbientCapabilities= +PrivateTmp=yes +PrivateDevices=yes +DevicePolicy=closed +ProtectSystem=strict +ProtectHome=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectKernelLogs=yes +ProtectControlGroups=yes +ProtectHostname=yes +ProtectClock=yes +NoNewPrivileges=yes +MountFlags=private +LockPersonality=yes +RestrictRealtime=yes +RestrictNamespaces=yes +RestrictSUIDSGID=yes +KeyringMode=private +MemoryDenyWriteExecute=yes +RemoveIPC=yes +SystemCallArchitectures=native +SystemCallFilter=~ @clock @cpu-emulation @debug @keyring @module @mount @raw-io @reboot @swap @obsolete @timer @resources @privileged @pkey @obsolete @setuid +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +UMask=0077 + [Install] WantedBy=multi-user.target diff --git a/doc/DESCRIPTION.md b/doc/DESCRIPTION.md index 40f8d90..a527d48 100644 --- a/doc/DESCRIPTION.md +++ b/doc/DESCRIPTION.md @@ -11,18 +11,3 @@ Galène is a videoconference server (an “SFU”) that is easy to deploy and th - streaming video and audio from disk - activity detection - LDAP support - -### Server features - -- redistribution of arbitrary numbers of audio and video streams; -- text chat; -- recording to disk; -- user statuses ("raise hand", etc.); -- choice of audio and video codecs (full functionality for VP8, VP9, and H.264, preliminary support for AV1); -- Simulcast; -- Scalable Video Coding (SVC) for VP8 and VP9; -- automatic restarting of failed flows (on ICE failure); -- congestion control in the server → client direction (both loss-based and using REMB indications); -- congestion control in the client → server direction (loss-based, partial REMB support); -- dynamic tuning of buffer sizes depending on the clients' RTT; -- built-in TURN server.