scrutiny_ynh/conf/systemd-scrutiny-web-server.service

[Unit]
Description=Scrutiny Web Server
After=network-online.target

[Service]
Type=simple
User=__APP__
Group=__APP__
WorkingDirectory=__INSTALL_DIR__
LogsDirectory=__APP__
StateDirectory=__APP__
ExecStart=__INSTALL_DIR__/bin/scrutiny-web-linux start --config __INSTALL_DIR__/config/scrutiny.yaml
Restart=always
RestartSec=10s
StandardOutput=append:/var/log/__APP__/web-server.log
StandardError=inherit

# Sandboxing options to harden security
# Depending on specificities of your service/app, you may need to tweak these
# .. but this should be a good baseline
# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
DevicePolicy=closed
ProtectClock=yes
ProtectHostname=yes
ProtectProc=invisible
ProtectSystem=full
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
LockPersonality=yes
SystemCallArchitectures=native
SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged

# Denying access to capabilities that should not be relevant for webapps
# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG

[Install]
WantedBy=multi-user.target
Version v0.6.0 2023-03-06 21:25:34 +01:00			`[Unit]`
Fixing 2023-03-07 22:33:13 +01:00			`Description=Scrutiny Web Server`
Version v0.6.0 2023-03-06 21:25:34 +01:00			`After=network-online.target`

			`[Service]`
			`Type=simple`
			`User=__APP__`
			`Group=__APP__`
			`WorkingDirectory=__INSTALL_DIR__`
			`LogsDirectory=__APP__`
			`StateDirectory=__APP__`
Fix 2024-02-25 17:47:04 +01:00			`ExecStart=__INSTALL_DIR__/bin/scrutiny-web-linux start --config __INSTALL_DIR__/config/scrutiny.yaml`
Version v0.6.0 2023-03-06 21:25:34 +01:00			`Restart=always`
			`RestartSec=10s`
Fixing 2023-03-07 22:33:13 +01:00			`StandardOutput=append:/var/log/__APP__/web-server.log`
Version v0.6.0 2023-03-06 21:25:34 +01:00			`StandardError=inherit`

Harden the security of the systemd services 2023-03-06 22:28:57 +01:00			`# Sandboxing options to harden security`
			`# Depending on specificities of your service/app, you may need to tweak these`
			`# .. but this should be a good baseline`
			`# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html`
Version v0.6.0 2023-03-06 21:25:34 +01:00			`NoNewPrivileges=yes`
			`PrivateTmp=yes`
			`PrivateDevices=yes`
Harden the security of the systemd services 2023-03-06 22:28:57 +01:00			`RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK`
			`RestrictNamespaces=yes`
			`RestrictRealtime=yes`
			`DevicePolicy=closed`
Version v0.6.0 2023-03-06 21:25:34 +01:00			`ProtectClock=yes`
Harden the security of the systemd services 2023-03-06 22:28:57 +01:00			`ProtectHostname=yes`
			`ProtectProc=invisible`
			`ProtectSystem=full`
			`ProtectControlGroups=yes`
			`ProtectKernelModules=yes`
			`ProtectKernelTunables=yes`
			`LockPersonality=yes`
			`SystemCallArchitectures=native`
			`SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged`

			`# Denying access to capabilities that should not be relevant for webapps`
			`# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html`
			`CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD`
			`CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE`
			`CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT`
			`CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK`
			`CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM`
			`CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG`
			`CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE`
			`CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW`
			`CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG`
Version v0.6.0 2023-03-06 21:25:34 +01:00
			`[Install]`
			`WantedBy=multi-user.target`