YunoHost-Apps/headphones_ynh
1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/headphones_ynh.git synced 2024-09-03 19:26:02 +02:00
Code Issues Activity Actions

Merge pull request #8 from YunoHost-Apps/testing

Browse source 
fic linter
This commit is contained in:
Éric Gaspar 2023-01-12 09:29:30 +01:00 committed by GitHub
commit 5b8f72e3f2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 36 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
conf/nginx.conf
View file

@ -1,7 +1,7 @@
#sub_path_only rewrite ^__PATH__$ __PATH__/ permanent; #sub_path_only rewrite ^__PATH__$ __PATH__/ permanent;
location __PATH__/ { location __PATH__/ {
proxy_pass http://localhost:__PORT__; proxy_pass http://localhost:__PORT__;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme; proxy_set_header X-Scheme $scheme;

34
conf/systemd.service
View file

@ -8,5 +8,39 @@ Group=__APP__
WorkingDirectory=__FINALPATH__/ WorkingDirectory=__FINALPATH__/
ExecStart=__FINALPATH__/venv/bin/python3 __FINALPATH__/Headphones.py --config /etc/__APP__/__APP__.ini --datadir __DATADIR__ --nolaunch ExecStart=__FINALPATH__/venv/bin/python3 __FINALPATH__/Headphones.py --config /etc/__APP__/__APP__.ini --datadir __DATADIR__ --nolaunch
# Sandboxing options to harden security
# Depending on specificities of your service/app, you may need to tweak these
# .. but this should be a good baseline
# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
DevicePolicy=closed
ProtectClock=yes
ProtectHostname=yes
ProtectProc=invisible
ProtectSystem=full
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
LockPersonality=yes
SystemCallArchitectures=native
SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
# Denying access to capabilities that should not be relevant for webapps
# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

2
manifest.json
View file

@ -18,7 +18,7 @@
"email": "" "email": ""
}, },
"requirements": { "requirements": {
"yunohost": ">= 4.3.0" "yunohost": ">= 11.0.9"
}, },
"multi_instance": true, "multi_instance": true,
"services": [ "services": [