fix

2024-09-03 19:36:05 +02:00 · 2024-08-14 13:24:15 +02:00 · 2024-08-14 13:24:15 +02:00 · 31df48eabe
commit 31df48eabe
parent 6b31d08a18
3 changed files with 46 additions and 6 deletions
--- a/conf/redlib.conf
+++ b/conf/redlib.conf
@ -0,0 +1,17 @@
+ADDRESS=127.0.0.1
+PORT=__PORT__
+#REDLIB_DEFAULT_THEME=default
+#REDLIB_DEFAULT_FRONT_PAGE=default
+#REDLIB_DEFAULT_LAYOUT=card
+#REDLIB_DEFAULT_WIDE=off
+#REDLIB_DEFAULT_POST_SORT=hot
+#REDLIB_DEFAULT_COMMENT_SORT=confidence
+#REDLIB_DEFAULT_BLUR_SPOILER=off
+#REDLIB_DEFAULT_SHOW_NSFW=off
+#REDLIB_DEFAULT_BLUR_NSFW=off
+#REDLIB_DEFAULT_USE_HLS=off
+#REDLIB_DEFAULT_HIDE_HLS_NOTIFICATION=off
+#REDLIB_DEFAULT_AUTOPLAY_VIDEOS=off
+#REDLIB_DEFAULT_SUBSCRIPTIONS=off (sub1+sub2+sub3)
+#REDLIB_DEFAULT_HIDE_AWARDS=off
+#REDLIB_DEFAULT_DISABLE_VISIT_REDDIT_CONFIRMATION=off
--- a/conf/systemd.service
+++ b/conf/systemd.service
@ -7,8 +7,31 @@ After=network.service
 User=__APP__
 Group=__APP__
 DynamicUser=yes
-EnvironmentFile=-__INSTALL_DIR__/.env
-ExecStart=__INSTALL_DIR__/redlib -a 127.0.0.1 -p __PORT__ --env-file .env
+EnvironmentFile=-__INSTALL_DIR__/redlib.conf
+#ExecStart=__INSTALL_DIR__/redlib -a 127.0.0.1 -p __PORT__ --env-file .env
+ExecStart=__INSTALL_DIR__/redlib -a 127.0.0.1 -p __PORT__
+
+# Hardening
+DeviceAllow=
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+PrivateDevices=yes
+ProcSubset=pid
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service ~@privileged ~@resources
+UMask=0077

 [Install]
 WantedBy=multi-user.target
--- a/scripts/install
+++ b/scripts/install
@ -18,7 +18,7 @@ ynh_script_progression --message="Setting up source files..." --weight=1
 ynh_setup_source --dest_dir="$install_dir"

 chown -R $app:www-data "$install_dir"
-chmod +x $install_dir/libreddit && chown $app:$app $install_dir/libreddit
+chmod +x $install_dir/redlib && chown $app:$app $install_dir/redlib

 #=================================================
 # SYSTEM CONFIGURATION
@ -38,10 +38,10 @@ yunohost service add $app --description="Alternative to Reddit" --log="/var/log/
 #=================================================
 ynh_script_progression --message="Adding a configuration file..." --weight=1

-ynh_add_config --template=".env" --destination="$install_dir/.env"
+ynh_add_config --template="redlib.conf" --destination="$install_dir/redlib.conf"

-chmod 400 "$install_dir/.env"
-chown $app:$app "$install_dir/.env"
+chmod 400 "$install_dir/redlib.conf"
+chown $app:$app "$install_dir/redlib.conf"

 #=================================================
 # START SYSTEMD SERVICE