Add hardened systemd unit file

author: Sven-Hendrik Haase <svenstaro@gmail.com> 2021-04-18 07:27:57 +0000
committer: Sven-Hendrik Haase <svenstaro@gmail.com> 2021-04-18 07:28:02 +0000
commit: 26395cd3595db1988fa64d7c8c0bc814c6631548 (patch)
tree: 4ec3eb4c576ac0f4f73d4926ca3688fd865de766 /packaging/miniserve@.service
parent: (cargo-release) start next development iteration 0.14.1-alpha.0 (diff)
download: miniserve-26395cd3595db1988fa64d7c8c0bc814c6631548.tar.gz
miniserve-26395cd3595db1988fa64d7c8c0bc814c6631548.zip
1 files changed, 28 insertions, 0 deletions
diff --git a/packaging/miniserve@.service b/packaging/miniserve@.service
new file mode 100644
index 0000000..9dc5fe0
--- /dev/null
+++ b/packaging/miniserve@.service
@@ -0,0 +1,28 @@
+[Unit]
+Description=miniserve for %i
+After=network-online.target
+Wants=network-online.target systemd-networkd-wait-online.service
+
+[Service]
+ExecStart=/usr/bin/miniserve -- %I
+
+IPAccounting=yes
+IPAddressAllow=localhost
+IPAddressDeny=any
+DynamicUser=yes
+PrivateTmp=yes
+PrivateUsers=yes
+PrivateDevices=yes
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH
+
+[Install]
+WantedBy=multi-user.target
author	Sven-Hendrik Haase <svenstaro@gmail.com>	2021-04-18 07:27:57 +0000
committer	Sven-Hendrik Haase <svenstaro@gmail.com>	2021-04-18 07:28:02 +0000
commit	26395cd3595db1988fa64d7c8c0bc814c6631548 (patch)
tree	4ec3eb4c576ac0f4f73d4926ca3688fd865de766 /packaging/miniserve@.service
parent	(cargo-release) start next development iteration 0.14.1-alpha.0 (diff)
download	miniserve-26395cd3595db1988fa64d7c8c0bc814c6631548.tar.gz miniserve-26395cd3595db1988fa64d7c8c0bc814c6631548.zip