From 31df48eabe03ecb4e413190d20cb685963dee8bd Mon Sep 17 00:00:00 2001
From: ericgaspar <junk.eg@free.fr>
Date: Wed, 14 Aug 2024 13:24:15 +0200
Subject: [PATCH] fix

---
 conf/redlib.conf     | 17 +++++++++++++++++
 conf/systemd.service | 27 +++++++++++++++++++++++++--
 scripts/install      |  8 ++++----
 3 files changed, 46 insertions(+), 6 deletions(-)
 create mode 100644 conf/redlib.conf

diff --git a/conf/redlib.conf b/conf/redlib.conf
new file mode 100644
index 0000000..7f7150d
--- /dev/null
+++ b/conf/redlib.conf
@@ -0,0 +1,17 @@
+ADDRESS=127.0.0.1
+PORT=__PORT__
+#REDLIB_DEFAULT_THEME=default
+#REDLIB_DEFAULT_FRONT_PAGE=default
+#REDLIB_DEFAULT_LAYOUT=card
+#REDLIB_DEFAULT_WIDE=off
+#REDLIB_DEFAULT_POST_SORT=hot
+#REDLIB_DEFAULT_COMMENT_SORT=confidence
+#REDLIB_DEFAULT_BLUR_SPOILER=off
+#REDLIB_DEFAULT_SHOW_NSFW=off
+#REDLIB_DEFAULT_BLUR_NSFW=off
+#REDLIB_DEFAULT_USE_HLS=off
+#REDLIB_DEFAULT_HIDE_HLS_NOTIFICATION=off
+#REDLIB_DEFAULT_AUTOPLAY_VIDEOS=off
+#REDLIB_DEFAULT_SUBSCRIPTIONS=off (sub1+sub2+sub3)
+#REDLIB_DEFAULT_HIDE_AWARDS=off
+#REDLIB_DEFAULT_DISABLE_VISIT_REDDIT_CONFIRMATION=off
\ No newline at end of file
diff --git a/conf/systemd.service b/conf/systemd.service
index 83cca9e..3278367 100644
--- a/conf/systemd.service
+++ b/conf/systemd.service
@@ -7,8 +7,31 @@ After=network.service
 User=__APP__
 Group=__APP__
 DynamicUser=yes
-EnvironmentFile=-__INSTALL_DIR__/.env
-ExecStart=__INSTALL_DIR__/redlib -a 127.0.0.1 -p __PORT__ --env-file .env
+EnvironmentFile=-__INSTALL_DIR__/redlib.conf
+#ExecStart=__INSTALL_DIR__/redlib -a 127.0.0.1 -p __PORT__ --env-file .env
+ExecStart=__INSTALL_DIR__/redlib -a 127.0.0.1 -p __PORT__
+
+# Hardening
+DeviceAllow=
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+PrivateDevices=yes
+ProcSubset=pid
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service ~@privileged ~@resources
+UMask=0077
 
 [Install]
 WantedBy=multi-user.target
diff --git a/scripts/install b/scripts/install
index c44df72..6ea2141 100755
--- a/scripts/install
+++ b/scripts/install
@@ -18,7 +18,7 @@ ynh_script_progression --message="Setting up source files..." --weight=1
 ynh_setup_source --dest_dir="$install_dir"
 
 chown -R $app:www-data "$install_dir"
-chmod +x $install_dir/libreddit && chown $app:$app $install_dir/libreddit
+chmod +x $install_dir/redlib && chown $app:$app $install_dir/redlib
 
 #=================================================
 # SYSTEM CONFIGURATION
@@ -38,10 +38,10 @@ yunohost service add $app --description="Alternative to Reddit" --log="/var/log/
 #=================================================
 ynh_script_progression --message="Adding a configuration file..." --weight=1
 
-ynh_add_config --template=".env" --destination="$install_dir/.env"
+ynh_add_config --template="redlib.conf" --destination="$install_dir/redlib.conf"
 
-chmod 400 "$install_dir/.env"
-chown $app:$app "$install_dir/.env"
+chmod 400 "$install_dir/redlib.conf"
+chown $app:$app "$install_dir/redlib.conf"
 
 #=================================================
 # START SYSTEMD SERVICE