From 21e972797f9601f13b2eff5855e57bd8d40c81dd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?F=C3=A9lix=20Pi=C3=A9dallu?= <felix@piedallu.me>
Date: Thu, 18 Jan 2024 14:36:13 +0100
Subject: [PATCH] small systemd update

---
 conf/systemd.service | 38 +++++++++++++++++++++++++++++++++++++-
 1 file changed, 37 insertions(+), 1 deletion(-)

diff --git a/conf/systemd.service b/conf/systemd.service
index ea48f10..3b0be5c 100644
--- a/conf/systemd.service
+++ b/conf/systemd.service
@@ -1,8 +1,9 @@
 [Unit]
 Description=__APP__ server
-After=redis.service postgresql.service
+After=network.target redis.service postgresql.service
 
 [Service]
+Type=simple
 User=__APP__
 Group=__APP__
 WorkingDirectory=__INSTALL_DIR__/
@@ -11,5 +12,40 @@ StandardOutput=syslog
 StandardError=syslog
 SyslogIdentifier=__APP__-server
 
+# FIXME: Test all that
+# ### Depending on specificities of your service/app, you may need to tweak these
+# ### .. but this should be a good baseline
+# # Sandboxing options to harden security
+# # Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+# NoNewPrivileges=yes
+# PrivateTmp=yes
+# PrivateDevices=yes
+# RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+# RestrictNamespaces=yes
+# RestrictRealtime=yes
+# DevicePolicy=closed
+# ProtectClock=yes
+# ProtectHostname=yes
+# ProtectProc=invisible
+# ProtectSystem=full
+# ProtectControlGroups=yes
+# ProtectKernelModules=yes
+# ProtectKernelTunables=yes
+# LockPersonality=yes
+# SystemCallArchitectures=native
+# SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
+
+# # Denying access to capabilities that should not be relevant for webapps
+# # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+# CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+# CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+# CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+# CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+# CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+# CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+# CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+# CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+# CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
+
 [Install]
 WantedBy=multi-user.target