mirror of
https://github.com/YunoHost-Apps/hat_ynh.git
synced 2024-09-03 19:16:04 +02:00
cleaning
This commit is contained in:
Éric Gaspar
parent
cd46b53b26
commit
9f70e5658c
3 changed files with 36 additions and 1 deletions
|
|
@ -12,5 +12,39 @@ Environment=PATH=__ENV_PATH__
|
||||||
Environment=NODE_ENV=production
|
Environment=NODE_ENV=production
|
||||||
ExecStart=__YNH_NPM__ run start
|
ExecStart=__YNH_NPM__ run start
|
||||||
|
|
||||||
|
# Sandboxing options to harden security
|
||||||
|
# Depending on specificities of your service/app, you may need to tweak these
|
||||||
|
# .. but this should be a good baseline
|
||||||
|
# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
|
||||||
|
NoNewPrivileges=yes
|
||||||
|
PrivateTmp=yes
|
||||||
|
PrivateDevices=yes
|
||||||
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
||||||
|
RestrictNamespaces=yes
|
||||||
|
RestrictRealtime=yes
|
||||||
|
DevicePolicy=closed
|
||||||
|
ProtectClock=yes
|
||||||
|
ProtectHostname=yes
|
||||||
|
ProtectProc=invisible
|
||||||
|
ProtectSystem=full
|
||||||
|
ProtectControlGroups=yes
|
||||||
|
ProtectKernelModules=yes
|
||||||
|
ProtectKernelTunables=yes
|
||||||
|
LockPersonality=yes
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
|
||||||
|
|
||||||
|
# Denying access to capabilities that should not be relevant for webapps
|
||||||
|
# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
|
||||||
|
CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
|
||||||
|
CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
|
||||||
|
CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
|
||||||
|
CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
|
||||||
|
CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
|
||||||
|
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
|
||||||
|
CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
|
||||||
|
CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
|
||||||
|
CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
|
|
||||||
1
doc/DESCRIPTION_fr.md
Normal file
1
doc/DESCRIPTION_fr.md
Normal file
|
|
@ -0,0 +1 @@
|
||||||
|
Hat.sh est une application Web qui fournit un chiffrement local sécurisé des fichiers dans le navigateur. Il est rapide, sécurisé et utilise des algorithmes cryptographiques modernes avec un chiffrement/déchiffrement de flux AEAD fragmenté.
|
||||||
|
|
@ -5,7 +5,7 @@
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
||||||
# nodejs version
|
# nodejs version
|
||||||
nodejs_version=18
|
nodejs_version=20
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# PERSONAL HELPERS
|
# PERSONAL HELPERS
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue