fix encoding

conf/systemd.service

@@ -1 +1,48 @@
-%5BUnit%5D%0D%0ADescription%3DGancio%20%3A%20federated%20agenda%0D%0AAfter%3Dnetwork.target%0D%0A%0D%0A%5BService%5D%0D%0AType%3Dsimple%0D%0AUser%3D__APP__%0D%0AGroup%3D__APP__%0D%0AWorkingDirectory%3D__INSTALL_DIR__%2F%0D%0AEnvironment%3D%22__YNH_NODE_LOAD_PATH__%22%0D%0AExecStart%3D__YNH_NPM__%20gancio%20start%20--config%20.%2Fconfig.json%0D%0A%0D%0A%23%20Sandboxing%20options%20to%20harden%20security%0D%0A%23%20Depending%20on%20specificities%20of%20your%20service%2Fapp%2C%20you%20may%20need%20to%20tweak%20these%0D%0A%23%20..%20but%20this%20should%20be%20a%20good%20baseline%0D%0A%23%20Details%20for%20these%20options%3A%20https%3A%2F%2Fwww.freedesktop.org%2Fsoftware%2Fsystemd%2Fman%2Fsystemd.exec.html%0D%0ANoNewPrivileges%3Dyes%0D%0APrivateTmp%3Dyes%0D%0APrivateDevices%3Dyes%0D%0ARestrictAddressFamilies%3DAF_UNIX%20AF_INET%20AF_INET6%20AF_NETLINK%0D%0ARestrictNamespaces%3Dyes%0D%0ARestrictRealtime%3Dyes%0D%0ADevicePolicy%3Dclosed%0D%0AProtectClock%3Dyes%0D%0AProtectHostname%3Dyes%0D%0AProtectProc%3Dinvisible%0D%0AProtectSystem%3Dfull%0D%0AProtectControlGroups%3Dyes%0D%0AProtectKernelModules%3Dyes%0D%0AProtectKernelTunables%3Dyes%0D%0ALockPersonality%3Dyes%0D%0ASystemCallArchitectures%3Dnative%0D%0ASystemCallFilter%3D~%40clock%20%40debug%20%40module%20%40mount%20%40obsolete%20%40reboot%20%40setuid%20%40swap%20%40cpu-emulation%20%40privileged%0D%0A%0D%0A%23%20Denying%20access%20to%20capabilities%20that%20should%20not%20be%20relevant%20for%20webapps%0D%0A%23%20Doc%3A%20https%3A%2F%2Fman7.org%2Flinux%2Fman-pages%2Fman7%2Fcapabilities.7.html%0D%0ACapabilityBoundingSet%3D~CAP_RAWIO%20CAP_MKNOD%0D%0ACapabilityBoundingSet%3D~CAP_AUDIT_CONTROL%20CAP_AUDIT_READ%20CAP_AUDIT_WRITE%0D%0ACapabilityBoundingSet%3D~CAP_SYS_BOOT%20CAP_SYS_TIME%20CAP_SYS_MODULE%20CAP_SYS_PACCT%0D%0ACapabilityBoundingSet%3D~CAP_LEASE%20CAP_LINUX_IMMUTABLE%20CAP_IPC_LOCK%0D%0ACapabilityBoundingSet%3D~CAP_BLOCK_SUSPEND%20CAP_WAKE_ALARM%0D%0ACapabilityBoundingSet%3D~CAP_SYS_TTY_CONFIG%0D%0ACapabilityBoundingSet%3D~CAP_MAC_ADMIN%20CAP_MAC_OVERRIDE%0D%0ACapabilityBoundingSet%3D~CAP_NET_ADMIN%20CAP_NET_BROADCAST%20CAP_NET_RAW%0D%0ACapabilityBoundingSet%3D~CAP_SYS_ADMIN%20CAP_SYS_PTRACE%20CAP_SYSLOG%0D%0A%0D%0A%5BInstall%5D%0D%0AWantedBy%3Dmulti-user.target
+[Unit]
+Description=Gancio : federated agenda
+After=network.target
+
+[Service]
+Type=simple
+User=__APP__
+Group=__APP__
+WorkingDirectory=__INSTALL_DIR__/
+Environment="__YNH_NODE_LOAD_PATH__"
+ExecStart=__YNH_NPM__ gancio start --config ./config.json
+
+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectClock=yes
+ProtectHostname=yes
+ProtectProc=invisible
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
+
+[Install]
+WantedBy=multi-user.target